ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR004.002
  • Created: 25th May 2024
  • Updated: 29th July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Collaboration Platform Exploration

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

Prevention

ID Name Description
PV008Enforce File Permissions

File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files.

Detection

ID Name Description
DT019Chrome Browser History

Google's Chrome browser stores the history of accessed websites and files downloaded.

 

On Windows, this information is stored in the following location:

C:/Users/<Username>/AppData/Local/Google/Chrome/User Data/Default/

On macOS:

/Users/<Username>/Library/Application Support/Google/Chrome/Default/

On Linux:

/home/<Username>/.config/google-chrome/Default/

 

Where /Default/ is referenced in the paths above, this is the default profile for Chrome, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

DT009Cyber Deception, File Canary

By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

 

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.

DT018Edge Browser History

Microsoft's Edge browser stores the history of accessed websites and files downloaded.

 

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\

On macOS:

/Users/<Username>/Library/Application Support/Microsoft Edge/Default/

On Linux:

/home/<Username>/.config/microsoft-edge/Default/

 

Where /Default/ is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

DT017Firefox Browser History

Mozilla's Firefox browser stores the history of accessed websites.

 

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\

On macOS:

/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/

On Linux:

/home/<Username>/.mozilla/firefox/<Profile Name>/

 

In this location two database files are relevant, places.sqlite (browser history and bookmarks) and favicons.sqlite (favicons for visited websites and bookmarks).
 

These database files can be opened in software such as DB Browser For SQLite.

DT062Microsoft 365 Admin Center Sign-in Activity

From the Microsoft 365 Admin Center homepage (https://admin.microsoft.com/#/homepage), after a specific user account has been selected under ‘Users’ > ‘Active Users’, it is possible to view limited sign-in activity under ‘Last sign-in’ > ‘View last 30 days’.

This displays the Date, Status, and Failure reason (if appropriate).

DT063Microsoft Entra ID Sign-in Logs

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.

DT094Microsoft Purview Audit Search

Microsoft's Purview portal has a feature named Audit that permits access to critical audit log event data to gain insight and further investigate user activities. This can be used to investigate activity from a range of Microsoft services, such as SharePoint, OneDrive, and Outlook. Searches can be scoped to a specific timeframe, user account, and platform using the extensive filters available.