ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: IF009
  • Created: 31st May 2024
  • Updated: 01st August 2025
  • Platforms: Windows, Linux, MacOS, iOS, Android, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI),
  • Contributor: The ITM Team

Installing Unapproved Software

A subject installs software onto an organization-managed system without prior approval or outside sanctioned methods (e.g., centralized package management, internal software portals). This behavior spans a spectrum of risk - from seemingly benign installations (e.g., video games, personal browsers, media players) to unauthorized deployment of potentially harmful tools sourced from unvetted repositories or adversarial infrastructure.

 

The infringement may involve:

 

  • Manual download and execution of installer packages
  • Use of administrative access to bypass endpoint restrictions
  • Cloning or compiling code from external sources such as GitHub, including malware-laden utilities disguised as open-source tools

 

While some installations may appear harmless, all represent a breakdown in configuration control and acceptable use. In high-risk scenarios, such software may introduce remote access mechanisms, data exfiltration capabilities, or sandbox-evading malware. Even benign cases signal behavioral drift, particularly when repeated or ignored, and can contribute to software sprawl, policy erosion, or eventual exploitation.

Subsections

ID Name Description
IF009.005Anti-Sleep Software

The subject installs or enables software, scripts, or hardware devices designed to prevent systems from automatically locking, logging out, or entering sleep mode. This unauthorized action deliberately subverts security controls intended to protect unattended systems from unauthorized access.

 

Characteristics

  • Circumvents policies enforcing session locks, idle timeouts, and mandatory logout periods.
  • May involve third-party applications ("caffeine" tools), anti-idle scripts, or physical devices such as USB mouse jigglers.
  • Typically deployed without organizational approval or awareness.
  • Leaves systems continuously unlocked and accessible, undermining endpoint security and physical safeguards.
  • Renders full disk encryption protections ineffective while the system remains powered and unlocked.
  • Creates opportunities for unauthorized access, data exfiltration, or device compromise by malicious insiders or third parties.

 

Example Scenario

A subject installs unauthorized anti-sleep software on a corporate laptop to prevent automatic locking during idle periods. As a result, the device remains accessible even when left unattended in unsecured environments such as cafes, airports, or shared workspaces. This action bypasses mandatory screen-lock policies and renders full disk encryption protections ineffective, exposing sensitive organizational data to theft or compromise by malicious third parties who can physically access the unattended device.

IF009.002Inappropriate Software

A subject installs software that is not considered appropriate by the organization.

IF009.007Installation of Unapproved Browser Extensions

The subject installs browser extensions on a managed device that have not been approved, vetted, or distributed via sanctioned organizational channels. These may include productivity tools, automation agents, data scrapers, content manipulators, or AI-enhanced interfaces. Installations typically originate from GitHub repositories, private developer sites, shared file storage, or sideloading tools that bypass enterprise browser controls.

 

Unapproved extensions introduce unmonitored execution environments directly into the subject’s browser, enabling silent access to sensitive web applications, stored credentials, and internal content. Many request expansive permissions (e.g., webRequest, cookies, tabs, clipboardRead) and operate with persistent background scripts that are difficult to detect through normal endpoint monitoring.

 

This behavior violates Acceptable Use Policies and, depending on the extension’s behavior, may also constitute unauthorized access, data exfiltration, or malware introduction. Some extensions—particularly those hosted on GitHub or distributed through Telegram groups or developer forums—have been found to contain obfuscated payloads, embedded credential harvesters, or cryptojacking modules.

 

Examples include:

 

  • Installing a GitHub-hosted ChatGPT sidebar extension that silently logs visited URLs and API keys used in developer consoles.
  • Deploying a YouTube downloader that injects scripts for ad click fraud or SEO manipulation.
  • Using a browser extension to auto-fill forms with personal data, which transmits data to offshore analytics servers.
  • Loading unpacked or custom extensions that disguise themselves as utilities but include base64-encoded malware installers.

 

While subjects may initially claim curiosity or productivity needs, repeated installation of unapproved extensions—especially after prior enforcement—may indicate normalization of risky behavior or active circumvention of controls.

IF009.006Installing Crypto Mining Software

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

 

Characteristics

  • Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
  • May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
  • Often configured to throttle resource usage during business hours to evade human and telemetry detection.
  • Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
  • Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
  • Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

 

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.

IF009.004Intentionally Introducing Malware

A subject intentionally introduces and attempts to execute malware on a system.

IF009.003Unintentionally Introducing Malware

A subject unintentionally introduces and attempts to execute malware on a system. This is can be achieved through various methods, such as phishing, malvertising, torrented downloads, and social engineering.

IF009.001Unwanted Software

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.

Prevention

ID Name Description
PV015Application Whitelisting

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

PV021DNS Filtering

Domain Name System (DNS) filtering allows the blocking of domain resolution for specific domains or automatically categorized classes of domains (depending on the functionality of the software or appliance being used). DNS filtering prevents users from accessing blocked domains, regardless of the IP address the domains resolve to.

 

Examples of automatically categorized classes of domains are ‘gambling’ or ‘social networking’ domains. Automatic categorizations of domains are typically conducted by the software or appliance being used, whereas specific domains can be blocked manually. Most DNS filtering software or appliances will provide the ability to use Regular Expressions (RegEx) to (for example) also filter all subdomains on a specified domain.

DNS filtering can be applied on an individual host, such as with the hosts file, or for multiple hosts via a DNS server or firewall.

PV003Enforce an Acceptable Use Policy

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

PV006Install a Web Proxy Solution

A web proxy can allow for specific web resources to be blocked, preventing clients from successfully connecting to them.

PV002Restrict Access to Administrative Privileges

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Detection

ID Name Description
DT019Chrome Browser History

Google's Chrome browser stores the history of accessed websites and files downloaded.

 

On Windows, this information is stored in the following location:

C:/Users/<Username>/AppData/Local/Google/Chrome/User Data/Default/

On macOS:

/Users/<Username>/Library/Application Support/Google/Chrome/Default/

On Linux:

/home/<Username>/.config/google-chrome/Default/

 

Where /Default/ is referenced in the paths above, this is the default profile for Chrome, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

DT018Edge Browser History

Microsoft's Edge browser stores the history of accessed websites and files downloaded.

 

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\

On macOS:

/Users/<Username>/Library/Application Support/Microsoft Edge/Default/

On Linux:

/home/<Username>/.config/microsoft-edge/Default/

 

Where /Default/ is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

DT017Firefox Browser History

Mozilla's Firefox browser stores the history of accessed websites.

 

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\

On macOS:

/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/

On Linux:

/home/<Username>/.mozilla/firefox/<Profile Name>/

 

In this location two database files are relevant, places.sqlite (browser history and bookmarks) and favicons.sqlite (favicons for visited websites and bookmarks).
 

These database files can be opened in software such as DB Browser For SQLite.

DT044Linux dpkg Log

The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.

This log contains the timestamp, the action conducted, and the package name and version.

To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*

To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*

DT043Sysmon Process Create Event

This detection is not enabled by default and requires additional configuration.

System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system.

DT026Windows LNK Files

LNK files or Shortcut files are stored in the location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Items and have the “.lnk” file extension.

These files are automatically created when a user account accesses a file through Windows Explorer.

This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path.

DT027Windows Prefetch

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.