ITM is an open framework - Submit your contributions now.

Preparation

Archive Data

Boot Order Manipulation

CCTV Enumeration

Circumventing Security Controls

Data Obfuscation

Renaming Files or Changing File Extensions

Data Staging

Device Mounting

Email Collection

External Media Formatting

File Exploration

IT Ticketing System Exploration

Network Scanning

Physical Disk Removal

Physical Exploration

Physical Item Smuggling

Private / Incognito Browsing

Read Windows Registry

Security Software Enumeration

Social Engineering (Outbound)

Software Installation

Software or Access Request

Managerial Approval

Suspicious Web Browsing

Testing Ability to Print

ID: PR018.002
Created: 23rd July 2024
Updated: 24th July 2024
Platforms: Windows, Linux, MacOS
Contributor: The ITM Team

Impairing a Security Agent

A subject abuses their access or conducts unapproved changes to impair the effectiveness of a security agent, such as causing it to crash or killing any associated system processes.

Prevention

ID	Name	Description
PV033	Native Anti-Tampering Protections	Commercial security software may include native anti-tampering protections that prevent attempts to interfere with its operations, such as deleting or renaming required files.
PV002	Restrict Access to Administrative Privileges	The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID	Name	Description
DT081	Security Software Anti-Tampering Alerts	Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation.