ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: PV008
  • Created: 25th May 2024
  • Updated: 27th July 2024
  • Contributor: The ITM Team

Enforce File Permissions

File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files.

Sections

ID Name Description
AF003Timestomping

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

 

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

 

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.

PR004.001Network File Exploration

A subject may search for, or otherwise explore files on a Network Attached Storage (NAS) device to identify sensitive information.

PR004.002Collaboration Platform Exploration

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

AF008.001Image Steganography

A subject embeds data within image files to hide sensitive content and exfiltrate it, in a way that conceals both the data and the act of exfiltration. Unlike encryption alone, this attempts to hide the existence of the data.

 

MethodDescriptionNotes
Least Significant Bit (LSB)Modifies the least significant bits of pixel values (typically in RGB channels) to store hidden data, with minimal visible change.High capacity, simple to implement, but fragile. Lossy compression may destroy the data. Detectable via histogram or entropy analysis.
Masking / FilteringAlters luminance or contrast, embedding data in textured or edge-heavy regions.Used with lossless formats (e.g., PNG, BMP). More robust than LSB, but limited capacity.
Transform-Domain MethodsApplies frequency transformations (DCT, DWT, FFT) and embeds data into coefficients.More resilient to compression and image editing. Lower capacity, higher complexity.
Palette / Color-Table EncodingModifies color palettes or transparency values in indexed-color images.Difficult to detect visually, but format-limited. May expose anomalies in color table comparisons.
EOF Padding (Appended Data)Appends hidden content after the image’s End of File (EOF) marker.Simple and often overlooked. No image modification required, making visual detection difficult. Easily done with basic scripts, file joiners or hex editor. Can be exposed if file size is unexpectedly large or during forensic carving.
Edge/Noise-Based EmbeddingSelectively hides data in edges, noise, or using adaptive spreading.Hardest to detect, especially when combined with ML techniques. Capacity is lower, implementation complex.

 

Trade-offs

  • LSB and EOF: High capacity, low complexity, fragile to inspection
  • Transform and Edge-based: Higher stealth, lower capacity, more resilient
  • Appended EOF: Minimal technical skill required, common in low-effort exfiltration attempts
IF013.001File or Data Deletion

A subject deletes organizational files or data (manually or through tooling) outside authorized workflows, resulting in the loss, concealment, or unavailability of operational assets. This infringement encompasses both targeted deletion (e.g. selected records, logs, or documents) and bulk removal (e.g. recursive deletion of directories or volumes).

 

Unlike Destructive Malware Deployment, which uses self-propagating or malicious code to irreversibly damage systems, this behavior reflects direct user-driven actions or scripts that remove or purge data without employing destructive payloads. Deletions may be conducted via built-in utilities, custom scripts, scheduled tasks, or misuse of administrative tools such as backup managers or version control systems.

 

This activity frequently occurs to:

 

  • Conceal evidence of other infringing actions (e.g. log deletion to frustrate investigation)
  • Sabotage availability of critical information (e.g. deleting shared drives or project directories)
  • Facilitate exfiltration or preparation (e.g. purging redundant files before copying sensitive data)

 

It may also involve secondary actions such as emptying recycle bins, purging shadow copies, disabling version histories, or wiping removable media to obscure the scope of deletion.