ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR018.001
  • Created: 23rd July 2024
  • Updated: 24th July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

Uninstalling a Security Agent

A subject abuses their access or conducts unapproved changes to uninstall a security agent that is present on a system.

Prevention

ID Name Description
PV033Native Anti-Tampering Protections

Commercial security software may include native anti-tampering protections that prevent attempts to interfere with its operations, such as deleting or renaming required files.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT081Security Software Anti-Tampering Alerts

Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation.