Windows LNK Files

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.

A subject uses a messaging application to exfiltrate data through messages or uploaded media.

A subject can install software on a device without restriction.

A subject can leverage software approved for installation or software that is already installed.

The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity.

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

A subject installs a VPN application that allows them to tunnel their traffic.

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

A subject installs screen sharing software which can be used to capture images or other information from a target system.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject uses utilities to compress collected data prior to exfiltration.

A subject uses utilities to encrypt collected data prior to exfiltration.

A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system.

A subject has access to or can install screen sharing software which can be used to capture images or other information from a target system.

A subject intentionally introduces and attempts to execute malware on a system.

A subject unintentionally introduces and attempts to execute malware on a system. This is can be achieved through various methods, such as phishing, malvertising, torrented downloads, and social engineering.

A subject installs software that is not considered appropriate by the organization.

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

A subject uses files with canary tokens as a tripwire mechanism to detect the presence of security personnel or investigation activities within a compromised environment. This method involves strategically placing files embedded with special identifiers (canary tokens) that trigger alerts when accessed. For example:

The subject creates files containing canary tokens—unique identifiers that generate an alert when they are accessed, opened, or modified. These files can appear as regular documents, logs, configurations, or other items that might attract the attention of an investigator during a security response.

The subject strategically places these files in various locations within the environment:

• Endpoints: Files with canary tokens are stored in directories where digital forensics or malware analysis is likely to occur, such as system logs, user data directories, or registry entries.
• Cloud Storage: The files are uploaded to cloud storage buckets, virtual machines, or application databases where security teams might search for indicators of compromise.
• Network Shares: Shared drives and network locations where forensic investigators or security tools may perform scans.

Once in place, the canary token within each file serves as a silent tripwire. The token monitors for access and automatically triggers an alert if an action is detected:

• Access Detection: If a security tool, administrator, or investigator attempts to open, modify, or copy the file, the embedded canary token sends an alert to an external server controlled by the subject.
• Network Traffic: The token can initiate an outbound network request (e.g., HTTP, DNS) to a specified location, notifying the subject of the exact time and environment where the access occurred.
• Behavior Analysis: The subject might include multiple canary files, each with unique tokens, to identify the pattern of investigation, such as the sequence of directories accessed or specific file types of interest to the security team.

Upon receiving an alert from a triggered canary token, the subject can take immediate steps to evade detection:

• Alert the Subject: The canary token sends a covert signal to the subject's designated server or communication channel, notifying them of the potential investigation.
• Halt Malicious Activity: The subject can use this warning to suspend ongoing malicious actions, such as data exfiltration or command-and-control communications, to avoid further detection.
• Clean Up Evidence: Scripts can be triggered to delete or alter logs, remove incriminating files, or revert system configurations to their original state, complicating any forensic investigation.
• Feign Normalcy: The subject can restore or disguise compromised systems to appear as though nothing suspicious has occurred, minimizing signs of tampering.

By using files with canary tokens as tripwires, a subject can gain early warning of investigative actions and respond quickly to avoid exposure. This tactic allows them to outmaneuver standard security investigations by leveraging silent alerts that inform them of potential security team activity.