Infringement
Account Sharing
Data Loss
Denial of Service
Disruption of Business Operations
Excessive Personal Use
Exfiltration via Email
Exfiltration via Media Capture
Exfiltration via Messaging Applications
Exfiltration via Other Network Medium
Exfiltration via Physical Medium
- Exfiltration via Bring Your Own Device (BYOD)
- Exfiltration via Disk Media
- Exfiltration via Floppy Disk
- Exfiltration via New Internal Drive
- Exfiltration via Physical Access to System Drive
- Exfiltration via Physical Documents
- Exfiltration via Target Disk Mode
- Exfiltration via USB Mass Storage Device
- Exfiltration via USB to Mobile Device
- Exfiltration via USB to USB Data Transfer
Exfiltration via Screen Sharing
Exfiltration via Web Service
Harassment and Discrimination
Inappropriate Web Browsing
Installing Malicious Software
Installing Unapproved Software
Misappropriation of Funds
Non-Corporate Device
Providing Access to a Unauthorized Third Party
Public Statements Resulting in Brand Damage
Regulatory Non-Compliance
Sharing on AI Chatbot Platforms
Theft
Unauthorized Changes to IT Systems
Unauthorized Printing of Documents
Unauthorized VPN Client
Unlawfully Accessing Copyrighted Material
- ID: IF027
- Created: 01st October 2025
- Updated: 01st October 2025
- Platforms: Windows, Linux, MacOS, iOS, Android, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI),
- Contributor: The ITM Team
Installing Malicious Software
The subject deliberately or inadvertently introduces malicious software (commonly referred to as malware) into the organization’s environment. This may occur via manual execution, automated dropper delivery, browser‑based compromise, USB usage, or sideloading through legitimate processes. Malicious software includes trojans, keyloggers, ransomware, credential stealers, remote access tools (RATs), persistence frameworks, or other payloads designed to cause harm, exfiltrate data, degrade systems, or maintain unauthorized control.
Installation of malicious software represents a high-severity infringement, regardless of whether the subject's intent was deliberate or negligent. In some cases, malware introduction is the culmination of prior behavioral drift (e.g. installing unapproved tools or disabling security controls), while in others it may signal malicious preparation or active compromise.
This Section is distinct from general “Installing Unapproved Software”, which covers non‑malicious or policy-violating tools. Here, the software itself is malicious in purpose or impact, even if delivered under benign pretenses.
Subsections
ID | Name | Description |
---|---|---|
IF027.005 | Destructive Malware Deployment | The subject deploys destructive malware; software designed to irreversibly damage systems, erase data, or disrupt operational availability. Unlike ransomware, which encrypts files to extort payment, destructive malware is deployed with the explicit intent to delete, corrupt, or disable systems and assets without recovery. Its objective is disruption or sabotage, not necessarily for direct financial gain.
This behavior may include:
Insiders may deploy destructive malware as an act of retaliation (e.g. prior to departure), sabotage (e.g. to disrupt an investigation or competitor), or under coercion. Detonation may be manual or scheduled, and in some cases the malware is disguised as routine tooling to delay detection.
Destructive deployment is high-severity and often coincides with forensic tampering or precursor access based infringements (e.g. file enumeration or backup deletion). |
IF027.001 | Infostealer Deployment | The subject deploys credential-harvesting malware (commonly referred to as an infostealer) to extract sensitive authentication material or session artifacts from systems under their control. These payloads are typically configured to capture data from browser credential stores (e.g.,
Infostealers may be executed directly via compiled binaries, staged through malicious document macros, or loaded reflectively into memory using PowerShell, .NET assemblies, or process hollowing techniques. Some variants are fileless and reside entirely in memory, while others create persistence via registry keys (e.g.,
While often associated with external threat actors, insider deployment of infostealers allows subjects to bypass authentication safeguards, impersonate peers, or exfiltrate internal tokens for later use or sale. In cases where data is not immediately exfiltrated, local staging (e.g., in |
IF027.003 | Keylogger Deployment | The subject deploys software designed to record keystrokes entered on an endpoint to capture credentials, sensitive communications, internal documentation, or intellectual property. Keyloggers may be introduced as standalone binaries, embedded within otherwise legitimate tools, or configured through dual-use frameworks (e.g. C++ dropper with keylogging module). In insider scenarios, the deployment is typically local and deliberate, leveraging the subject’s physical access or assigned privileges to bypass existing controls.
Keyloggers operate in one of several modes:
Captured data is typically stored in encrypted local files (e.g. |
IF027.002 | Ransomware Deployment | The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.
Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.
In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive. |
IF027.004 | Remote Access Tool (RAT) Deployment | The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.
RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode).
Functionality typically includes:
Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins ( |
Prevention
ID | Name | Description |
---|---|---|
PV015 | Application Whitelisting | By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves. |
PV006 | Install a Web Proxy Solution | A web proxy can allow for specific web resources to be blocked, preventing clients from successfully connecting to them. |
PV005 | Install an Anti-Virus Solution | An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file. |
PV018 | Network Intrusion Prevention Systems | Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection. |
PV009 | Prohibition of Devices On-site | Certain infringements can be prevented by prohibiting certain devices from being brought on-site. |
PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
PV037 | Restrict Removable Disk Mounting, Group Policy | Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.
Open the following policies and set them all to Enabled:
|
PV062 | Static Code Analysis via CI/CD Pipelines | Static code analysis integrated into CI/CD pipelines provides a critical prevention mechanism against anti-forensic behaviors embedded in code, scripts, and infrastructure definitions. By enforcing automated review of logic patterns prior to deployment, organizations can detect concealed execution paths, scheduling abuse, and evasive constructs before they reach production.
This control is especially vital in mitigating deferred execution techniques, where the subject inserts code that activates long after submission—typically to evade scrutiny or delay attribution. Static analysis enables defenders to identify high-risk patterns at rest, before runtime, reducing reliance on reactive detection and shortening investigative timelines.
Detection of Time-Based Execution Logic:
Abnormal Delay Functions and Sleep Calls:
Embedded Scheduler References in Scripts:
Identification of Obfuscation and Dynamic Constructs:
CI/CD Blocking and Exception Escalation:
Pre-Deployment Artifact Scanning:
Cross-Team Code Review and Signature Expansion:
Attestation of Safe Logic by Departing Engineers: |
Detection
ID | Name | Description |
---|---|---|
DT046 | Agent Capable of Endpoint Detection and Response | An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.
Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.
An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate). |
DT045 | Agent Capable of User Activity Monitoring | An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.
The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).
Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.
Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms. |
DT047 | Agent Capable of User Behaviour Analytics | An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.
The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.
A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.
Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms. |
DT009 | Cyber Deception, File Canary | By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.
By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected. |
DT011 | Cyber Deception, Honey User | In cyber deception, a "honey user" (or "honey account") is a decoy user account designed to detect and monitor malicious activities. These accounts attract attackers by appearing legitimate or using common account names, but any interaction with them is highly suspicious and flagged for investigation. Honey users can be deployed in various forms, such as Active Directory users, local system accounts, web application users, and cloud users. |
DT010 | Cyber Deception, Honeypot | A honeypot is a decoy system that mimics a legitimate system or service, enticing a malicious actor to interact with it. It records any interaction for later review. |
DT048 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |
DT097 | Deep Packet Inspection | Implement Deep Packet Inspection (DPI) tools to inspect the content of network packets beyond the header information. DPI can identify unusual patterns and hidden data within legitimate protocols. DPI can be conducted with a range of software and hardware solutions, such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), as well as Intrusion Detection and Prevention Systems (IDPS) such as Snort and Suricata, |
DT122 | DNS and HTTPS Traffic to Web-Based Remote Access Platforms | Monitor DNS queries and outbound HTTP/S traffic to known domains associated with browser-based remote access services. These platforms—such as LogMeIn, AnyDesk, Chrome Remote Desktop, and Microsoft RD Web Access—allow subjects to initiate or maintain remote sessions outside of approved IT infrastructure. Their use may indicate preparation for unauthorized remote access, data exfiltration, or external collaboration.
Detection Methods:
Example domains and subdomains include:
Configure alerting for:
Integrate results with identity sources to correlate web access with role-based access expectations. |
DT051 | DNS Logging | Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed. |
DT098 | NetFlow Analysis | Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.
NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.
Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors. |
DT042 | Network Intrusion Detection Systems | Network Intrusion Detection Systems (NIDS) can alert on abnormal, suspicious, or malicious patterns of network behavior. |
DT081 | Security Software Anti-Tampering Alerts | Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation. |
DT102 | User and Entity Behavior Analytics (UEBA) | Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior. |
DT101 | User Behavior Analytics (UBA) | Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events. |
DT027 | Windows Prefetch | In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution. Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists. |