ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: IF002.008
  • Created: 26th July 2024
  • Updated: 26th July 2024
  • Platforms: Android, iOS
  • Contributor: The ITM Team

Exfiltration via USB to Mobile Device

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

Prevention

ID Name Description
PV015Application Whitelisting

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

PV009Prohibition of Devices On-site

Certain infringements can be prevented by prohibiting certain devices from being brought on-site.

Detection

ID Name Description
DT033Closed-Circuit Television

CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file.

DT036Windows Jump Lists

Windows Jump Lists are a feature that provides quick access to recently or frequently used files.

DT026Windows LNK Files

LNK files or Shortcut files are stored in the location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Items and have the “.lnk” file extension.

These files are automatically created when a user account accesses a file through Windows Explorer.

This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path.

DT027Windows Prefetch

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.

DT032Windows Thumbcache

Thumbnail Cache, a feature introduced in Windows operating systems starting with Windows Vista, enhances the user experience by caching thumbnail images of files. This functionality, when enabled, speeds up and makes loading these images more efficient in various views, such as File Explorer, by generating preview images or thumbnails for various multimedia files.

This artifact can provide evidence of the presence of files even if they have been deleted.