ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR018
  • Created: 23rd July 2024
  • Updated: 14th December 2024
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

Circumventing Security Controls

A subject abuses their access or conducts unapproved changes to circumvent host-based security controls.

Subsections

ID Name Description
PR018.007Downgrading Microsoft Information Protection (MIP) labels

A subject may intentionally downgrade the Microsoft Information Protection (MIP) label applied to a file in order to obscure the sensitivity of its contents and bypass security controls. MIP labels are designed to classify and protect files based on their sensitivity—ranging from “Public” to “Highly Confidential”—and are often used to enforce Data Loss Prevention (DLP), access restrictions, encryption, and monitoring policies.

 

By reducing a file's label classification, the subject may make the file appear innocuous, thus reducing the likelihood of triggering alerts or blocks by email filters, endpoint monitoring tools, or other security mechanisms.

 

This technique can enable the unauthorized exfiltration or misuse of sensitive data while evading established security measures. It may indicate premeditated policy evasion and can significantly weaken the organization’s data protection posture.

 

Examples of Use:

  • A subject downgrades a financial strategy document from Highly Confidential to Public before emailing it to a personal address, bypassing DLP policies that would normally prevent such transmission.
  • A user removes a classification label entirely from an engineering design document to upload it to a non-corporate cloud storage provider without triggering security controls.
  • An insider reclassifies multiple project files from Confidential to Internal Use Only to facilitate mass copying to a removable USB device.

 

Detection Considerations:

  • Monitoring for sudden or unexplained MIP label downgrades, especially in proximity to data transfer events (e.g., email sends, cloud uploads, USB copies).
  • Correlating audit logs from Microsoft Purview (formerly Microsoft Information Protection) with outbound data transfer events.
  • Use of Data Classification Analytics to detect label changes on high-value files without associated business justification.
  • Reviewing file access and modification logs to identify users who have altered classification metadata prior to suspicious activity.
PR018.002Impairing a Security Agent

A subject abuses their access or conducts unapproved changes to impair the effectiveness of a security agent, such as causing it to crash or killing any associated system processes.

PR018.006Impairing an Anti-Virus Solution

A subject abuses their access or conducts unapproved changes to impair the effectiveness of an anti-virus solution, such as causing it to crash or killing any associated system processes.

PR018.004Modifying a Host-Based Firewall

A subject abuses their access or conducts unapproved changes by modifying the local host firewall, such as editing inbound or outbound rules, or disabling it.

PR018.003Unauthorized Manipulation of Anti-Virus Exclusions

A subject abuses their access or conducts unapproved changes to set exclusions within an anti-virus solution, allowing known malicious files to be executed from a specified location on disk.

PR018.001Uninstalling a Security Agent

A subject abuses their access or conducts unapproved changes to uninstall a security agent that is present on a system.

PR018.005Uninstalling an Anti-Virus Solution

A subject abuses their access or conducts unapproved changes by uninstalling the anti-virus solution installed on a system.

Prevention

ID Name Description
PV033Native Anti-Tampering Protections

Commercial security software may include native anti-tampering protections that prevent attempts to interfere with its operations, such as deleting or renaming required files.

Detection

ID Name Description
DT106Microsoft Entra ID Privileged Identity Management Resource Audit

Within the Microsoft Entra admin center, the Resource audit can be reviewed to identify PIM elevations for users, including key information such as the requestor user, subject user, action, domain, and primary target (role assigned/removed). This can aid investigators by providing an audit trail for PIM elevations and the duration for which an eligible role was attached to a user account.

 

The following URL can be used to view this activity log, provided the investigator's account has the Privileged Role Administrator role assigned, or a role with higher privileges: https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/Audit/resourceId//resourceType/tenant/provider/aadroles

DT081Security Software Anti-Tampering Alerts

Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation.

DT082Windows Event Log, Local Firewall Changes

Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added.

This event indicates that a change has been made to the Windows Firewall settings and typically logs information about the specific settings that were changed.

 

Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified.

This event is logged when an outbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

 

Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted.

This event is logged when an inbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

 

Event ID 4950: A Windows Firewall setting has changed.

This event indicates that a change has been made to the Windows Firewall's global configuration, such as enabling or disabling the firewall.