Connectivity Obstruction

The subject deliberately removes a corporate device from network connectivity to obstruct remote monitoring, containment, or forensic acquisition with the intent to frustrate and delay an investigation, or avoid detection while conducting local activity. This may involve disabling Wi-Fi or Ethernet, enabling airplane mode, disabling a network interface, removing SIM cards, or disconnecting from the organization’s virtual private network (VPN).

In some cases, the subject may physically relocate the device outside managed infrastructure, such as taking it off-premises or into unmonitored environments, further complicating retrieval and response. By operating offline or outside trusted channels, the subject effectively severs telemetry pipelines (EDR, SIEM, UAM), limiting visibility into device activity, user behavior, or policy violations.

Unlike powering off, this tactic allows the subject to continue accessing, modifying, or destroying data while bypassing containment triggers or remote access restrictions.