ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT085
  • Created: 25th July 2024
  • Updated: 25th July 2024
  • Platform: Windows
  • Contributor: Ismael Briones-Vilar

Network Registry Key

In Microsoft Windows, when a subject maps a network drive persistently, a key named after the drive letter will appear in the Windows registry location HKEY_CURRENT_USER\Network\.  Each subkey under the Network key corresponds to a mapped network drive and contains information about the drive, including the network share path and the username used to connect to it.

Sections

ID Name Description
IF004.003Exfiltration via Personal NAS Device

A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data.