ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR006.004
  • Created: 14th September 2024
  • Updated: 14th September 2024
  • Contributor: The ITM Team

Security Enumeration via Network Activity

A subject attempts to identify security software by monitoring network traffic.

Prevention

ID Name Description
PV015Application Whitelisting

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT043Sysmon Process Create Event

This detection is not enabled by default and requires additional configuration.

System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system.