Means
Ability to Modify Cloud Resources
Access
Aiding and Abetting
Bluetooth
Bring Your Own Device (BYOD)
Clipboard
Delegated Access via Managed Service Providers
FTP Servers
Installed Software
Media Capture
Network Attached Storage
Physical Disk Access
Placement
Printing
Privileged Access
Removable Media
Screenshots and Screen Recording
Sensitivity Label Leakage
SMB File Sharing
SSH Servers
System Startup Firmware Access
Unauthorized Access to Unassigned Hardware
Unmanaged Credential Storage
Unrestricted Software Installation
Unrevoked Access
Web Access
- ID: ME001
- Created: 22nd May 2024
- Updated: 08th September 2025
- Platforms: WindowsLinuxMacOSiOSAndroid
- Contributor: The ITM Team
Unauthorized Access to Unassigned Hardware
The subject accesses or uses a corporate hardware asset, typically a laptop or other endpoint device, that is not assigned to them by role, provisioning, or inventory records. This behavior often emerges in environments with weak asset lifecycle controls, during periods of staff transition, or when hardware is reissued informally without updating allocation systems.
Subjects may obtain unassigned hardware through dormant inventory, “loaner” pools, peer handoffs, or by reactivating previously deprovisioned devices. Use of unassigned hardware circumvents standard monitoring, ownership attribution, and access governance. It may be leveraged to evade visibility, perform preparatory actions, or compartmentalize risky activity away from their primary, monitored device.
Investigators should view such access as a strong early indicator of potential infringement(s), particularly when associated with stale or unmanaged hardware, elevated privilege configuration, or the absence of endpoint telemetry.
Subsections (2)
| ID | Name | Description |
|---|---|---|
| ME001.001 | Access to Asset Past Termination | The subject accesses a corporate hardware asset, most commonly a laptop or corporate mobile device, after their employment has formally ended. This typically occurs due to gaps in deprovisioning, delayed hardware recovery, or the subject physically retaining the device despite offboarding procedures. Post-termination access may be opportunistic or intentional, and may precede or coincide with data exfiltration, sabotage, or unauthorized continuation of internal access.
This sub-section is relevant in cases where the hardware asset is no longer linked to an active identity in HR systems but remains technically functional and capable of network, VPN, or service access. Such access undermines the assumption that termination alone revokes operational capability and may point to procedural drift in IT, HR, or facilities handover workflows. |
| ME001.002 | Purchase and Use of Unmanaged Corporate Hardware | The subject purchases a laptop (or similar endpoint) using a corporate payment method but does so outside established procurement and provisioning processes. By bypassing IT and asset management workflows, the subject introduces a corporate-funded but unmanaged device into the environment.
Such devices often lack standard security controls—such as endpoint detection and response (EDR), encryption, configuration baselines, or patching—and may not be tracked in asset inventory systems. While the subject may rationalize the purchase as operationally necessary (e.g., urgency, convenience, or perceived lack of IT responsiveness), the result is a sanctioned but invisible device with the potential to bypass monitoring and governance controls.
This behavior undermines organizational asset control, complicates investigative attribution, and introduces unmanaged endpoints capable of accessing sensitive networks and data. |