Detections
- Home
- - Detections
- -DT011
- ID: DT011
- Created: 25th May 2024
- Updated: 25th July 2024
- Platforms: Windows, Linux, MacOS,
- Contributor: The ITM Team
Cyber Deception, Honey User
In cyber deception, a "honey user" (or "honey account") is a decoy user account designed to detect and monitor malicious activities. These accounts attract attackers by appearing legitimate or using common account names, but any interaction with them is highly suspicious and flagged for investigation. Honey users can be deployed in various forms, such as Active Directory users, local system accounts, web application users, and cloud users.
Sections
ID | Name | Description |
---|---|---|
ME028 | Delegated Access via Managed Service Providers | An organization entrusts a Managed Service Provider (MSP) with administrative or operational access to its digital environment - typically for IT support, system maintenance, or development functions. This access is often persistent, privileged, and spans sensitive infrastructure or data environments.
The means is established when MSP personnel, including potential subjects, are permitted to authenticate into the client’s environment from systems or networks entirely outside the client's visibility or jurisdiction. These MSP endpoints may be unmanaged, unmonitored, or physically located in regions where customer organization's policies, incident response authority, or legal recourse do not apply.
This creates an unobservable access channel: the subject operates from infrastructure beyond the reach of the customer organization's logging, endpoint detection, or identity correlation. The organization is therefore unable to monitor or verify who accessed what, when, or from where—rendering all downstream actions unauditable by the customer organization's internal security teams, unless mirrored within the client-controlled environment.
The exposure can be compounded by the MSP’s internal controls (or lack thereof). Weak credential custody practices, shared administrative accounts, inadequate background checks, or poor workforce segmentation create conditions where privileged misuse or unauthorized access can occur without attribution or immediate detection. The subject does not require escalation—they begin with sanctioned access and operate under delegated trust, often without the constraints applied to internal staff.
This structural dependency - privileged access held externally, without enforceable oversight - creates the necessary conditions for an insider infringement to occur with low risk of interruption or accountability. |
IF027 | Installing Malicious Software | The subject deliberately or inadvertently introduces malicious software (commonly referred to as malware) into the organization’s environment. This may occur via manual execution, automated dropper delivery, browser‑based compromise, USB usage, or sideloading through legitimate processes. Malicious software includes trojans, keyloggers, ransomware, credential stealers, remote access tools (RATs), persistence frameworks, or other payloads designed to cause harm, exfiltrate data, degrade systems, or maintain unauthorized control.
Installation of malicious software represents a high-severity infringement, regardless of whether the subject's intent was deliberate or negligent. In some cases, malware introduction is the culmination of prior behavioral drift (e.g. installing unapproved tools or disabling security controls), while in others it may signal malicious preparation or active compromise.
This Section is distinct from general “Installing Unapproved Software”, which covers non‑malicious or policy-violating tools. Here, the software itself is malicious in purpose or impact, even if delivered under benign pretenses. |
PR027.002 | Impersonation via Collaboration and Communication Tools | The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.
Impersonation in this context can be achieved through:
The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.
Example Scenarios:
|
IF027.001 | Infostealer Deployment | The subject deploys credential-harvesting malware (commonly referred to as an infostealer) to extract sensitive authentication material or session artifacts from systems under their control. These payloads are typically configured to capture data from browser credential stores (e.g.,
Infostealers may be executed directly via compiled binaries, staged through malicious document macros, or loaded reflectively into memory using PowerShell, .NET assemblies, or process hollowing techniques. Some variants are fileless and reside entirely in memory, while others create persistence via registry keys (e.g.,
While often associated with external threat actors, insider deployment of infostealers allows subjects to bypass authentication safeguards, impersonate peers, or exfiltrate internal tokens for later use or sale. In cases where data is not immediately exfiltrated, local staging (e.g., in |
IF027.003 | Keylogger Deployment | The subject deploys software designed to record keystrokes entered on an endpoint to capture credentials, sensitive communications, internal documentation, or intellectual property. Keyloggers may be introduced as standalone binaries, embedded within otherwise legitimate tools, or configured through dual-use frameworks (e.g. C++ dropper with keylogging module). In insider scenarios, the deployment is typically local and deliberate, leveraging the subject’s physical access or assigned privileges to bypass existing controls.
Keyloggers operate in one of several modes:
Captured data is typically stored in encrypted local files (e.g. |
IF027.004 | Remote Access Tool (RAT) Deployment | The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.
RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode).
Functionality typically includes:
Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins ( |