ITM is an open framework - Submit your contributions now.

Detections

ConsoleHost_history.txt Created Timestamp Discrepancy

ConsoleHost_history.txt File Missing

Windows File Deleted, Event Logs

Windows System Logging was Cleared

Print Spooler Service

Installed Printers via Registry

Printed Documents via Event Logs

Tamper Seal

Cyber Deception, File Canary

Cyber Deception, Honeypot

Cyber Deception, Honey User

Windows Operating System Installed Date

NTFS Timestamp Discrepancy

Utilize Cold Storage for Logs

Windows Local Account Deleted

Windows System Shutdown, Event Logs

Firefox Browser History

Edge Browser History

Chrome Browser History

Shellbags, USB Removable Storage

USBSTOR Registry Key

USB Registry Key

MountedDevices Registry Key

Windows Event Log, DriverFrameworks-UserMode

Windows Setupapi.dev.log

Windows LNK Files

Windows Prefetch

File Metadata

File EXIF Data

auditd Timestamp Modification Rule

Windows Thumbcache

Closed-Circuit Television

Terminal Service Client Registry Key

RDP Bitmap Cache

Windows Jump Lists

auditd File Access

Windows Recycle Bin

Web Proxy Logs

Microsoft Exchange Message Trace

Email Gateway

Network Intrusion Detection Systems

Sysmon Process Create Event

Linux dpkg Log

Agent Capable of User Activity Monitoring

Agent Capable of Endpoint Detection and Response

Agent Capable of User Behaviour Analytics

Data Loss Prevention Solution

Social Media Monitoring

Impossible Travel

DNS Logging

Audit Logging

Missing .bash_history File

.bash_history Timestamp Discrepency

PowerShell Logging

User Account Deleted, Windows Event Log

Chrome Browser Cookies

Chrome Browser Login Data

Chrome Browser Bookmarks

Chrome Browser Extensions

Notepad.exe TabState

Microsoft 365 Admin Center Sign-in Activity

Microsoft Entra ID Sign-in Logs

AWS CloudTrail, Resource Deletion

GCP Cloud Audit Logs, Resource Deletion

Azure Activity Log, Resource Deletion

Financial Auditing

Windows Event Log, Logon and Logoff

Security Software Anti-Tampering Alerts

Windows Event Log, Local Firewall Changes

Map Network Drive MRU

TypedPaths

Network Registry Key

Shellbags, Network Drives

USB MountPoints2

Bash History

AzureAD PowerShell Log

Clipboard Payloads via ActivitiesCache.db

MFT Entry Number Sequence Irregularities

MFT Unusual Timestamp Patterns

MFT and Shimcache Executable Timestamp Comparison

Microsoft Purview Audit Search

Windows Event Log, Software Uninstallation

DNS Monitoring

Deep Packet Inspection

NetFlow Analysis

Windows Event Log, Audit Removable Storage

Virtual Private Network (VPN) Logs

Cloud User Behavior Analytics (UBA)

Cloud User and Entity Behavior Analytics (UEBA)

Photographic Identification Comparison

Leaver Watchlist

ID: DT007
Created: 25th May 2024
Updated: 19th June 2024
Platform: Windows
Contributor: The ITM Team

Printed Documents via Event Logs

Windows logs print job activities to Event logs, containing information such as job creation, completion, errors, and adding or deleting printer devices.

Windows Logs -> System

Event ID 307 - A document was printed.

Event ID 310 - A document failed to print.

Event ID 701 - Printer status changed.

Event ID 703 - Printer object added.

Event ID 804 - Document resumed for printing.

Event ID 805 - Printer driver was installed.

Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational

Event ID 808 - Printer driver was installed.

Event ID 843 - The print spooler failed to import the printer driver.

Event ID 1000 - Document print started.

Event ID 1001 - Document was printed.

Event ID 1100 - Printer was added.

Event ID 1101 - Printer was deleted.

Event ID 1200 - Print spooler service started.

Event ID 1201 - Print spooler service stopped.

Sections

ID	Name	Description
PR013	Testing Ability to Print	A subject attempts to print a document from a system to identify if this capability is permitted, restricted, or not possible.
ME014	Printing	A subject has the ability to print documents and other files.
IF006	Unauthorized Printing of Documents	A subject exfiltrates information by printing it to paper or other physical medium.
IF006.001	Printing of Documents with Personal Printer	A subject prints a document using a printer they own, physically exfiltrating the information.
IF006.002	Printing of Documents with Work Printer	A subject prints a document using a printer owned by the organization, with the intent to physically exfiltrate the information.
ME014.001	External Printing	A subject has the ability to print documents and other files with a printer outside of the organisation’s control.
IF002.005	Exfiltration via Physical Documents	A subject tansports physical documents outside of the control of the organization.