ITM is an open framework - Submit your contributions now.

Preparation

Archive Data

Boot Order Manipulation

CCTV Enumeration

Circumventing Security Controls

Data Obfuscation

Renaming Files or Changing File Extensions

Data Staging

Device Mounting

Email Collection

External Media Formatting

File Exploration

IT Ticketing System Exploration

Network Scanning

Physical Disk Removal

Physical Exploration

Physical Item Smuggling

Private / Incognito Browsing

Read Windows Registry

Security Software Enumeration

Social Engineering (Outbound)

Software Installation

Software or Access Request

Managerial Approval

Suspicious Web Browsing

Testing Ability to Print

ID: PR005
Created: 25th May 2024
Updated: 14th June 2024
Contributor: The ITM Team

IT Ticketing System Exploration

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

Prevention

ID	Name	Description
PV002	Restrict Access to Administrative Privileges	The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID	Name	Description
DT052	Audit Logging	Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns.
DT019	Chrome Browser History	Google's Chrome browser stores the history of accessed websites and files downloaded. On Windows, this information is stored in the following location: `C:/Users/<Username>/AppData/Local/Google/Chrome/User Data/Default/` On macOS: `/Users/<Username>/Library/Application Support/Google/Chrome/Default/` On Linux: `/home/<Username>/.config/google-chrome/Default/` Where `/Default/` is referenced in the paths above, this is the default profile for Chrome, and can be replaced if a custom profile is used. In this location one database file is relevant, `history.sqlite`. This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.
DT018	Edge Browser History	Microsoft's Edge browser stores the history of accessed websites and files downloaded. On Windows, this information is stored in the following location: `C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\` On macOS: `/Users/<Username>/Library/Application Support/Microsoft Edge/Default/` On Linux: `/home/<Username>/.config/microsoft-edge/Default/` Where `/Default/` is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, `history.sqlite`. This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.
DT017	Firefox Browser History	Mozilla's Firefox browser stores the history of accessed websites. On Windows, this information is stored in the following location: `C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\` On macOS: `/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/` On Linux: `/home/<Username>/.mozilla/firefox/<Profile Name>/` In this location two database files are relevant, `places.sqlite` (browser history and bookmarks) and `favicons.sqlite` (favicons for visited websites and bookmarks). These database files can be opened in software such as DB Browser For SQLite.
DT039	Web Proxy Logs	Depending on the solution used, web proxies can provide a wealth of information about web-based activity. This can include the IP address of the system making the web request, the URL requested, the response code, and timestamps. An organization must perform SSL/TLS interception to receive the most complete information about these connections.