Detections
- Home
- - Detections
- -DT051
- ID: DT051
- Created: 08th June 2024
- Updated: 17th June 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
DNS Logging
Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.
Sections
ID | Name | Description |
---|---|---|
ME006 | Web Access | A subject can access the web with an organization device. |
ME006.001 | Webmail | A subject can access personal webmail services in a browser. |
ME006.002 | Cloud Storage | A subject can access personal cloud storage in a browser. |
ME006.003 | Inappropriate Websites | A subject can access websites containing inappropriate content. |
ME006.004 | Note-Taking Websites | A subject can access external note-taking websites (Such as Evernote). |
ME006.005 | Messenger Services | A subject can access external messenger web-applications with the ability to transmit data and/or files. |
IF001.001 | Exfiltration via Cloud Storage | A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. |
ME006.006 | Code Repositories | A subject can access websites used to access or manage code repositories. |
AF004.001 | Clear Chrome Artifacts | A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. |
AF004.003 | Clear Firefox Artifacts | A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. |
AF004.002 | Clear Edge Artifacts | A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. |
ME006.007 | Text Storage Websites | A subject can access external text storage websites, such as Pastebin. |
AF018.003 | Canary Tokens | A subject uses files with canary tokens as a tripwire mechanism to detect the presence of security personnel or investigation activities within a compromised environment. This method involves strategically placing files embedded with special identifiers (canary tokens) that trigger alerts when accessed. For example:
The subject creates files containing canary tokens—unique identifiers that generate an alert when they are accessed, opened, or modified. These files can appear as regular documents, logs, configurations, or other items that might attract the attention of an investigator during a security response.
The subject strategically places these files in various locations within the environment:
Once in place, the canary token within each file serves as a silent tripwire. The token monitors for access and automatically triggers an alert if an action is detected:
Upon receiving an alert from a triggered canary token, the subject can take immediate steps to evade detection:
By using files with canary tokens as tripwires, a subject can gain early warning of investigative actions and respond quickly to avoid exposure. This tactic allows them to outmaneuver standard security investigations by leveraging silent alerts that inform them of potential security team activity. |