Preparation
AI-Assisted Capability Development
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Delegated Preparation via Artificial Intelligence Agents
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Hardware-Based Remote Access (IP-KVM)
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Media Capture via External Device
Mover
Network Scanning
Observational Information Gathering
On-Screen Data Collection
Oversight Circumvention and Control Degradation
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
VPN Usage
- ID: PR039
- Created: 19th April 2026
- Updated: 19th April 2026
- Contributor: The ITM Team
Observational Information Gathering
The subject gathers sensitive, restricted, or operationally relevant information by observing others as they perform tasks, access systems, or handle data. This behavior allows the subject to obtain knowledge that is not formally available to them through their assigned role, access permissions, or authorized channels.
Observation may occur in both covert and overt forms, and the boundary between the two is often fluid.
Covert observation involves the subject acquiring information without the awareness of the observed individual. This includes:
- Viewing credentials as they are entered (shoulder-surfing)
- Observing screen content from adjacent or rear positions
- Using reflections, positioning, or timing to capture sensitive data
- Repeated proximity during authentication or system interaction events
Overt observation involves the subject obtaining information through socially facilitated or procedural means, often under a legitimate or benign pretext. This includes:
- Requesting demonstrations of systems or workflows outside their role requirements
- Asking colleagues to walk through processes involving sensitive data or privileged actions
- Positioning themselves as curious, collaborative, or in training to gain visibility
- Attending or inserting themselves into activities without a defined business need
The information gathered may include:
- Authentication credentials or authentication patterns
- System navigation paths and access points
- Sensitive datasets or document locations
- Operational procedures, controls, or workarounds
This behavior serves as a foundational preparatory technique, supporting a wide range of downstream actions including unauthorized access, impersonation, data exfiltration, or policy circumvention.