Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Increase Privileges
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP) Access on Windows Systems
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR015.004
- Created: 31st May 2024
- Updated: 14th December 2024
- Contributor: The ITM Team
Bulk Email Collection
A subject creates an email collection file such as a Personal Storage Table (PST) file or an MBOX file to copy an entire mailbox or subset of a mailbox containing sensitive information.
Prevention
| ID | Name | Description |
|---|---|---|
| PV003 | Enforce an Acceptable Use Policy | An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks. |
| PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
Detection
| ID | Name | Description |
|---|---|---|
| DT106 | Microsoft Entra ID Privileged Identity Management Resource Audit | Within the Microsoft Entra admin center, the Resource audit can be reviewed to identify PIM elevations for users, including key information such as the requestor user, subject user, action, domain, and primary target (role assigned/removed). This can aid investigators by providing an audit trail for PIM elevations and the duration for which an eligible role was attached to a user account.
The following URL can be used to view this activity log, provided the investigator's account has the Privileged Role Administrator role assigned, or a role with higher privileges: |