Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Increase Privileges
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR022
- Created: 26th July 2024
- Updated: 14th December 2024
- Contributor: The ITM Team
Social Engineering (Outbound)
A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization.
Prevention
| ID | Name | Description |
|---|---|---|
| PV012 | End-User Security Awareness Training | Mandatory security awareness training for employees can help them to recognize a range of cyber attacks that they can play a part in preventing or detecting. This can include topics such as phishing, social engineering, and data classification, amongst others. |
Detection
| ID | Name | Description |
|---|---|---|
| DT041 | Email Gateway | Email gateway solutions offer the ability to trace inbound and outbound emails to an organization. This can be used to retrieve information such as emails sent or received, the subject line, content, attachments, timestamps, and recipients. |
| DT107 | Microsoft Teams Admin Center Meeting and Call History | From the Microsoft Teams admin center, it is possible to review previous Teams meetings or calls that a user account has joined. These logs include key information such as meeting or call ID, start time, duration, and participants. The purpose of this information is to assist with troubleshooting meeting or call issues; however, investigators can use it to determine when user accounts have participated in meetings or calls.
The following URL can be used to view this activity log, provided the investigator's account has the Microsoft Teams Administrator role assigned, or a role with higher privileges: Select Users, Manage Users, then the account being investigated. Click on Meetings & Calls, then scroll to the bottom of the page to view the Past Meetings table. Clicking on a meeting or call ID will provide more detailed information. |