Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Increase Privileges
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR018
- Created: 23rd July 2024
- Updated: 14th December 2024
- Platforms: Windows, Linux, MacOS,
- Contributor: The ITM Team
Circumventing Security Controls
A subject abuses their access or conducts unapproved changes to circumvent host-based security controls.
Subsections
| ID | Name | Description |
|---|---|---|
| PR018.002 | Impairing a Security Agent | A subject abuses their access or conducts unapproved changes to impair the effectiveness of a security agent, such as causing it to crash or killing any associated system processes. |
| PR018.006 | Impairing an Anti-Virus Solution | A subject abuses their access or conducts unapproved changes to impair the effectiveness of an anti-virus solution, such as causing it to crash or killing any associated system processes. |
| PR018.004 | Modifying a Host-Based Firewall | A subject abuses their access or conducts unapproved changes by modifying the local host firewall, such as editing inbound or outbound rules, or disabling it. |
| PR018.003 | Unauthorized Manipulation of Anti-Virus Exclusions | A subject abuses their access or conducts unapproved changes to set exclusions within an anti-virus solution, allowing known malicious files to be executed from a specified location on disk. |
| PR018.001 | Uninstalling a Security Agent | A subject abuses their access or conducts unapproved changes to uninstall a security agent that is present on a system. |
| PR018.005 | Uninstalling an Anti-Virus Solution | A subject abuses their access or conducts unapproved changes by uninstalling the anti-virus solution installed on a system. |
Prevention
| ID | Name | Description |
|---|---|---|
| PV033 | Native Anti-Tampering Protections | Commercial security software may include native anti-tampering protections that prevent attempts to interfere with its operations, such as deleting or renaming required files. |
Detection
| ID | Name | Description |
|---|---|---|
| DT106 | Microsoft Entra ID Privileged Identity Management Resource Audit | Within the Microsoft Entra admin center, the Resource audit can be reviewed to identify PIM elevations for users, including key information such as the requestor user, subject user, action, domain, and primary target (role assigned/removed). This can aid investigators by providing an audit trail for PIM elevations and the duration for which an eligible role was attached to a user account.
The following URL can be used to view this activity log, provided the investigator's account has the Privileged Role Administrator role assigned, or a role with higher privileges: |
| DT081 | Security Software Anti-Tampering Alerts | Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation. |
| DT082 | Windows Event Log, Local Firewall Changes | Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added. This event indicates that a change has been made to the Windows Firewall settings and typically logs information about the specific settings that were changed.
Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified. This event is logged when an outbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.
Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted. This event is logged when an inbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.
Event ID 4950: A Windows Firewall setting has changed. This event indicates that a change has been made to the Windows Firewall's global configuration, such as enabling or disabling the firewall. |