Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Exploration
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR003.005
- Created: 31st May 2024
- Updated: 26th July 2024
- Contributor: The ITM Team
Installing Cloud Storage Applications
A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.
Prevention
ID | Name | Description |
---|---|---|
PV015 | Application Whitelisting | By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves. |
PV003 | Enforce an Acceptable Use Policy | An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks. |
PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
Detection
ID | Name | Description |
---|---|---|
DT044 | Linux dpkg Log | The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at This log contains the timestamp, the action conducted, and the package name and version. To view pakage installs, the following command can be used: To view package uninstalls, the following command can be used: |
DT043 | Sysmon Process Create Event | This detection is not enabled by default and requires additional configuration. System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system. |
DT036 | Windows Jump Lists | Windows Jump Lists are a feature that provides quick access to recently or frequently used files. |
DT026 | Windows LNK Files | LNK files or Shortcut files are stored in the location These files are automatically created when a user account accesses a file through Windows Explorer. This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path. |
DT027 | Windows Prefetch | In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution. Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists. |