Circumventing Security Controls

A subject bypasses logical or physical network segmentation controls (such as VLANs, ACLs, security groups, or subnets) in order to obtain unauthorized access to systems, services, or data across trust boundaries. This preparation technique commonly manifests through deliberate configuration changes (e.g., modifying ACLs or VLAN assignments), covert tunneling (e.g., SSH, HTTPS reverse tunnels), rogue device introduction (e.g., unmanaged switches or dual-homed devices), or misuse of trusted services (e.g., remote access platforms or admin automation tools that bridge zones).

Such actions are often observable via first-time or anomalous cross-segment flows, management plane configuration logs, 802.1X/NAC anomalies, or long-lived encrypted outbound sessions. These techniques typically exploit privileged access, weak change control, or poor posture enforcement.

This behaviour may be motivated by a subject’s attempt to escalate access, stage data for exfiltration, evade oversight, or maintain persistence across environments. It is especially critical in environments with sensitive zoning, such as production-to-dev separations, cloud VPC peerings, or physically segmented OT/ICS networks.

Investigators should prioritize telemetry correlation across NetFlow/IP Flow Information Export (IPFIX), EDR, DHCP, and identity systems to attribute cross-zone traffic to known assets and subjects. Preserve infrastructure configuration snapshots and identify whether segmentation was circumvented by direct administrative action, covert bridging, or software-level tunnelling.

A subject may intentionally downgrade the Microsoft Information Protection (MIP) label applied to a file in order to obscure the sensitivity of its contents and bypass security controls. MIP labels are designed to classify and protect files based on their sensitivity—ranging from “Public” to “Highly Confidential”—and are often used to enforce Data Loss Prevention (DLP), access restrictions, encryption, and monitoring policies.

By reducing a file's label classification, the subject may make the file appear innocuous, thus reducing the likelihood of triggering alerts or blocks by email filters, endpoint monitoring tools, or other security mechanisms.

This technique can enable the unauthorized exfiltration or misuse of sensitive data while evading established security measures. It may indicate premeditated policy evasion and can significantly weaken the organization’s data protection posture.

Examples of Use:

• A subject downgrades a financial strategy document from Highly Confidential to Public before emailing it to a personal address, bypassing DLP policies that would normally prevent such transmission.
• A user removes a classification label entirely from an engineering design document to upload it to a non-corporate cloud storage provider without triggering security controls.
• An insider reclassifies multiple project files from Confidential to Internal Use Only to facilitate mass copying to a removable USB device.

Detection Considerations:

• Monitoring for sudden or unexplained MIP label downgrades, especially in proximity to data transfer events (e.g., email sends, cloud uploads, USB copies).
• Correlating audit logs from Microsoft Purview (formerly Microsoft Information Protection) with outbound data transfer events.
• Use of Data Classification Analytics to detect label changes on high-value files without associated business justification.
• Reviewing file access and modification logs to identify users who have altered classification metadata prior to suspicious activity.

A subject abuses their access or conducts unapproved changes to impair the effectiveness of a security agent, such as causing it to crash, killing any associated system processes, installing conflicting software, or preventing connectivity to telemetry domains.

A subject abuses their access or conducts unapproved changes to impair the effectiveness of an anti-virus solution, such as causing it to crash or killing any associated system processes.

A subject abuses their access or conducts unapproved changes by modifying the local host firewall, such as editing inbound or outbound rules, or disabling it.

A subject abuses their access or conducts unapproved changes to set exclusions within an anti-virus solution, allowing known malicious files to be executed from a specified location on disk.

A subject abuses their access or conducts unapproved changes to uninstall a security agent that is present on a system.

A subject abuses their access or conducts unapproved changes by uninstalling the anti-virus solution installed on a system.