Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Exploration
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR004.001
- Created: 25th May 2024
- Updated: 14th June 2024
- Contributor: The ITM Team
Network File Exploration
A subject may search for, or otherwise explore files on a Network Attached Storage (NAS) device to identify sensitive information.
Prevention
ID | Name | Description |
---|---|---|
PV008 | Enforce File Permissions | File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files. |
Detection
ID | Name | Description |
---|---|---|
DT009 | Cyber Deception, File Canary | By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.
By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected. |