Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Exploration
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR017
- Created: 31st May 2024
- Updated: 14th June 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
Archive Data
A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.
Subsections
| ID | Name | Description |
|---|---|---|
| PR017.003 | Archive via Compression | A subject uses utilities to compress collected data prior to exfiltration. |
| PR017.004 | Archive via Encryption | A subject uses utilities to encrypt collected data prior to exfiltration. |
| PR017.002 | Archive via Library | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
| PR017.001 | Archive via Utility | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
Prevention
| ID | Name | Description |
|---|---|---|
| PV015 | Application Whitelisting | By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves. |
| PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
Detection
| ID | Name | Description |
|---|---|---|
| DT043 | Sysmon Process Create Event | This detection is not enabled by default and requires additional configuration. System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system. |