Installing Malicious Software

The subject deploys destructive malware; software designed to irreversibly damage systems, erase data, or disrupt operational availability. Unlike ransomware, which encrypts files to extort payment, destructive malware is deployed with the explicit intent to delete, corrupt, or disable systems and assets without recovery. Its objective is disruption or sabotage, not necessarily for direct financial gain.

This behavior may include:

• Wiper malware (e.g. HermeticWiper, WhisperGate, ZeroCleare)
• Logic bombs or time-triggered deletion scripts
• Bootloader overwrite tools or UEFI tampering utilities
• Mass delete or format scripts (format, cipher /w, del /s /q, rm -rf)
• Data corruption utilities (e.g. file rewriters, header corruptors)
• Credential/system-wide lockout scripts (e.g. disabling accounts, resetting passwords en masse)

Insiders may deploy destructive malware as an act of retaliation (e.g. prior to departure), sabotage (e.g. to disrupt an investigation or competitor), or under coercion. Detonation may be manual or scheduled, and in some cases the malware is disguised as routine tooling to delay detection.

Destructive deployment is high-severity and often coincides with forensic tampering or precursor access based infringements (e.g. file enumeration or backup deletion).

The subject deploys credential-harvesting malware (commonly referred to as an infostealer) to extract sensitive authentication material or session artifacts from systems under their control. These payloads are typically configured to capture data from browser credential stores (e.g., Login Data SQLite databases in Chromium-based browsers), password vaults (e.g., KeePass, 1Password), clipboard buffers, Windows Credential Manager, or the Local Security Authority Subsystem Service (LSASS) memory space.

Infostealers may be executed directly via compiled binaries, staged through malicious document macros, or loaded reflectively into memory using PowerShell, .NET assemblies, or process hollowing techniques. Some variants are fileless and reside entirely in memory, while others create persistence via registry keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or scheduled tasks.

While often associated with external threat actors, insider deployment of infostealers allows subjects to bypass authentication safeguards, impersonate peers, or exfiltrate internal tokens for later use or sale. In cases where data is not immediately exfiltrated, local staging (e.g., in %AppData%, %Temp%, or encrypted containers) may indicate an intent to transfer data offline or deliver it via alternate channels.

The subject deploys software designed to record keystrokes entered on an endpoint to capture credentials, sensitive communications, internal documentation, or intellectual property. Keyloggers may be introduced as standalone binaries, embedded within otherwise legitimate tools, or configured through dual-use frameworks (e.g. C++ dropper with keylogging module). In insider scenarios, the deployment is typically local and deliberate, leveraging the subject’s physical access or assigned privileges to bypass existing controls.

Keyloggers operate in one of several modes:

• Kernel-based: Install drivers or hook low-level keyboard input APIs (e.g. Kbdclass.sys) to intercept inputs pre-OS.
• User-mode: Hook Windows APIs (SetWindowsHookEx, GetAsyncKeyState, GetForegroundWindow) to log input tied to active processes or windows.
• Form grabbers: Intercept browser or GUI form submissions, often bypassing SSL/TLS encryption by logging data pre-submission.
• Clipboard and screen scrapers: Supplement keylogging with capture of copied content and screenshots for contextual awareness.

Captured data is typically stored in encrypted local files (e.g. %TEMP%, %APPDATA%, or hidden directories), periodically exfiltrated via email, FTP, HTTP POST, or external storage.

The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.

Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.

In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive.

The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.

RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). 

Functionality typically includes:

• Full GUI or shell access
• File system interaction
• Screenshot and webcam capture
• Credential harvesting
• Process and registry manipulation
• Optional keylogging and persistence modules

Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (mshta, rundll32). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

A web proxy can allow for specific web resources to be blocked, preventing clients from successfully connecting to them.

An anti-virus solution detect and alert on malicious files, including the ability to take autonomous actions such as quarantining or deleting the flagged file.

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

Certain infringements can be prevented by prohibiting certain devices from being brought on-site.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.

In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

Open the following policies and set them all to Enabled:

Removeable Disk: Deny execute access

Removeable Disk: Deny read access

Removeable Disk: Deny write access

Static code analysis integrated into CI/CD pipelines provides a critical prevention mechanism against anti-forensic behaviors embedded in code, scripts, and infrastructure definitions. By enforcing automated review of logic patterns prior to deployment, organizations can detect concealed execution paths, scheduling abuse, and evasive constructs before they reach production.

This control is especially vital in mitigating deferred execution techniques, where the subject inserts code that activates long after submission—typically to evade scrutiny or delay attribution. Static analysis enables defenders to identify high-risk patterns at rest, before runtime, reducing reliance on reactive detection and shortening investigative timelines.

Detection of Time-Based Execution Logic:
Flag conditional statements that compare system time or date against hardcoded thresholds or calculated values.
Examples:

• if (datetime.now() > target_date)
• if time.time() > 1723468800 (UNIX timestamp obfuscation)

Abnormal Delay Functions and Sleep Calls:
Block or escalate the use of delay functions exceeding operational thresholds. Focus on calls intended to stall execution post-deployment.
Examples:

• sleep(3600)
• Start-Sleep -Seconds 1800
• Thread.sleep(900000) (in Java)

Embedded Scheduler References in Scripts:
Detect scripting logic that attempts to create or modify scheduled tasks, cron jobs, or background triggers.
Examples:

• echo '0 4 * * * /usr/bin/script.sh' >> /etc/crontab
• schtasks /create /tn "Update" /tr C:\temp\payload.exe /sc once /st 23:59
• at now + 1 minute /interactive "cmd.exe"

Identification of Obfuscation and Dynamic Constructs:
Scan for base64-encoded, concatenated, or dynamically constructed commands that attempt to evade static detection of time or scheduling logic.
Examples:

• eval(base64.b64decode(payload))
• task_command = "schtasks" + " /create /sc daily"
• exec("sleep " + str(delay_seconds))

CI/CD Blocking and Exception Escalation:
Treat the above patterns as rule violations within CI/CD pipelines. Enforce blocking behavior unless a security-reviewed exception is filed. Ensure exception cases are logged, tagged, and auditable.

Pre-Deployment Artifact Scanning:
Apply static analysis not only to source code but to bundled artifacts such as container images, compiled scripts, or deployment templates (e.g., Terraform, CloudFormation) to catch embedded logic in infrastructure as code (IaC).

Cross-Team Code Review and Signature Expansion:
Maintain shared detection signatures across DevSecOps, application security, and insider risk teams. Regularly review triggered matches to refine accuracy and discover new anti-forensic variants.

Attestation of Safe Logic by Departing Engineers:
Require final code audits for subjects flagged for departure or termination. Mandate re-review of any automation, CI/CD jobs, or privileged scripting authored by the subject.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.

In cyber deception, a "honey user" (or "honey account") is a decoy user account designed to detect and monitor malicious activities. These accounts attract attackers by appearing legitimate or using common account names, but any interaction with them is highly suspicious and flagged for investigation. Honey users can be deployed in various forms, such as Active Directory users, local system accounts, web application users, and cloud users.

A honeypot is a decoy system that mimics a legitimate system or service, enticing a malicious actor to interact with it. It records any interaction for later review.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

Implement Deep Packet Inspection (DPI) tools to inspect the content of network packets beyond the header information. DPI can identify unusual patterns and hidden data within legitimate protocols. DPI can be conducted with a range of software and hardware solutions, such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), as well as Intrusion Detection and Prevention Systems (IDPS) such as Snort and Suricata, 

Monitor DNS queries and outbound HTTP/S traffic to known domains associated with browser-based remote access services. These platforms—such as LogMeIn, AnyDesk, Chrome Remote Desktop, and Microsoft RD Web Access—allow subjects to initiate or maintain remote sessions outside of approved IT infrastructure. Their use may indicate preparation for unauthorized remote access, data exfiltration, or external collaboration.

Detection Methods:

• Collect and analyze DNS logs and web proxy traffic across all egress points.
• Maintain and regularly update a threat intelligence list of domains and subdomains linked to web-based remote desktop platforms.
   

Example domains and subdomains include:

• logmein.com
• remotedesktop.google.com
• anydesk.com
• rdweb.wvd.microsoft.com
• teamviewer.com
• parsec.app
• splashtop.com

Configure alerting for:

• First-time access to any listed domain by a user or endpoint.
• Repeated access over time, suggesting potential session establishment.
• Access outside approved VPN channels or corporate IP ranges.
• DNS tunneling or large data transfers over HTTPS to these platforms.

Integrate results with identity sources to correlate web access with role-based access expectations.

Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.

Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.

NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.

Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.

Network Intrusion Detection Systems (NIDS) can alert on abnormal, suspicious, or malicious patterns of network behavior. 

Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation.

Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.