Preparation
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Delegated Preparation via Artificial Intelligence Agents
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Hardware-Based Remote Access (IP-KVM)
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Media Capture via External Device
Mover
Network Scanning
On-Screen Data Collection
Oversight Circumvention and Control Degradation
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
VPN Usage
- ID: PR004
- Created: 25th May 2024
- Updated: 14th June 2024
- Contributor: The ITM Team
File Exploration
A subject may search for, or otherwise explore files on a local system to identify sensitive information.
Subsections (4)
| ID | Name | Description |
|---|---|---|
| PR004.002 | Collaboration Platform Exploration | A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information. |
| PR004.004 | Local System File Exploration | The subject browses, searches, or navigates files stored on a local system to identify data of interest. This includes interaction with files located on endpoint storage such as workstation drives, cached directories, synchronized folders (e.g., cloud sync clients), or application-specific storage locations.
Local file exploration may involve directory traversal, use of operating system search functions, sorting or filtering file views, and opening or previewing files without immediate transfer. In many environments, locally stored data includes synchronized copies of cloud repositories, downloaded attachments, or cached sensitive information, making it a viable source for discovery activity prior to exfiltration. |
| PR004.001 | Network File Exploration | A subject may search for, or otherwise explore files on a Network Attached Storage (NAS) device to identify sensitive information. |
| PR004.003 | Removable Media File Exploration | The subject browses, searches, or navigates files stored on removable media to identify data of interest. This includes interaction with external storage devices such as USB flash drives, external hard drives, memory cards, or other mountable media connected to an endpoint.
File exploration on removable media may involve directory traversal, file listing, previewing, or opening files directly from the mounted device. This activity can occur either on media introduced by the subject or on devices previously used for data staging or transfer. |