Preventions
- Home
- - Preventions
- -PV001
- ID: PV001
- Created: 25th May 2024
- Updated: 14th June 2024
- Contributor: The ITM Team
No Ready System-Level Mitigation
This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.
Sections
ID | Name | Description |
---|---|---|
AF015 | File Deletion | A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files. |
ME006 | Web Access | A subject can access the web with an organization device. |
ME011 | Screenshots | A subject can take screenshots on a device. |
ME012 | Clipboard | A subject can use the clipboard on a device (copy & paste). |
AF001 | Clear Command History | A subject clears command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. |
AF011 | Physical Destruction of Storage Media | A subject may destroy or otherwise impair physical storage media such as hard drives to prevent them from being analyzed. |
AF014 | System Shutdown | A subject may shutdown a system to clear volatile memory (RAM), preventing memory acquisition and analysis. |
PR012 | Physical Disk Removal | A subject removes the physical disk of a target system to access the target file system with an external device/system. |
PR023 | Suspicious Web Browsing | A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event. |
AF001.002 | Clear Bash History | A subject clears bash terminal command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. The Command Prompt on Windows only stores command history within the current session, once Command Prompt is closed, the history is lost. On Linux-based operating systems different terminal software may store command history in various locations, with the most common being On MacOS the Terminal utility will write command history to |
AF001.001 | Clear PowerShell History | A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. PowerShell stores command history in the context of a user account. This file is located at A subject can delete their own A subject may attempt to use the |
PR016.001 | Local Data Staging | A subject stages collected data in a central location or directory local to the current system prior to exfiltration. |
PR020.001 | Renaming Files or Changing File Extensions | A subject may rename a file to obscure the content of the file or change the file extension to hide the file type. This can aid in avoiding suspicion and bypassing certain security filers and endpoint monitoring tools. For example, renaming a sensitive document from FinancialReport.docx to Recipes.txt before copying it to a USB mass storage device. |
AF004.001 | Clear Chrome Artifacts | A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. |
AF004.003 | Clear Firefox Artifacts | A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. |
AF004.002 | Clear Edge Artifacts | A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history. |