Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Exploration
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR015.002
- Created: 31st May 2024
- Updated: 19th July 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
Remote Email Collection
A subject retrieves email files from a remote email server. The subject might use their own or other obtained credentials to access an email mailbox and subsequently copy emails and/or data contained within emails. Remote email collection can be conducted against on-premises email servers, webmail, and cloud-based email services.
Detection
ID | Name | Description |
---|---|---|
DT062 | Microsoft 365 Admin Center Sign-in Activity | From the Microsoft 365 Admin Center homepage (https://admin.microsoft.com/#/homepage), after a specific user account has been selected under ‘Users’ > ‘Active Users’, it is possible to view limited sign-in activity under ‘Last sign-in’ > ‘View last 30 days’. This displays the Date, Status, and Failure reason (if appropriate). |
DT063 | Microsoft Entra ID Sign-in Logs | From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts. This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location. |