Preparation
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Network Scanning
On-Screen Data Collection
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
VPN Usage
- ID: PR031
- Created: 23rd November 2025
- Updated: 23rd November 2025
- Contributor: The ITM Team
VPN Usage
The subject establishes an outbound Virtual Private Network (VPN) connection from an organizational endpoint (or Bring-Your-Own-Device system) to an external VPN provider, proxy service, or remote-hosted infrastructure. This behavior may occur during early preparation for data exfiltration, coordination with external parties, or operational concealment.
VPN usage can allow a subject to bypass enterprise monitoring, obscure the true destination of outbound traffic, or simulate trusted connections. In some cases, VPN tunnels are used to bridge otherwise segmented environments, enabling access to personal devices, unmanaged infrastructure, or overseas collaborators.