Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT043
  • Created: 02nd June 2024
  • Updated: 17th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

Sysmon Process Create Event

This detection is not enabled by default and requires additional configuration.

System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system.

Sections

ID Name Description
PR017Archive Data

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

IF009Installing Unapproved Software

A subject installs software onto an organization-managed system without prior approval or outside sanctioned methods (e.g., centralized package management, internal software portals). This behavior spans a spectrum of risk - from seemingly benign installations (e.g., video games, personal browsers, media players) to unauthorized deployment of potentially harmful tools sourced from unvetted repositories or adversarial infrastructure.

 

The infringement may involve:

 

  • Manual download and execution of installer packages
  • Use of administrative access to bypass endpoint restrictions
  • Cloning or compiling code from external code repositories such as GitHub

 

While some installations may appear harmless, unapproved software installs can represent a breakdown in configuration control and acceptable use. In high-risk scenarios, such software may introduce remote access mechanisms, data exfiltration capabilities, or other malware. Even benign cases signal behavioral drift, particularly when repeated or ignored, and can contribute to software sprawl, policy erosion, or eventual exploitation.

PR003Software Installation

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

ME003Installed Software

A subject can leverage software approved for installation or software that is already installed.

ME006Web Access

A subject can access the web with an organization device.

PR019Private / Incognito Browsing

Private browsing, also known as 'incognito mode' among other terms, is a feature in modern web browsers that prevents the storage of browsing history, cookies, and site data on a subject's device. When private browsing is enabled, it ensures any browsing activity conducted during the browser session is not saved to the browser history or cache.

 

A subject can use private browsing to conceal their actions in a web browser, such as navigating to unauthorized websites, downloading illicit materials, uploading corporate data or conducting covert communications, thus leaving minimal traces of their browsing activities on a device and frustrating forensic recovery efforts.

AF022Virtualization

The subject leverages virtualization technologies—including hypervisors and virtual machines—to obscure forensic artifacts, isolate malicious activity, or evade host-based monitoring. By conducting operations within a guest operating system, the subject reduces visibility to host-level security tools and complicates the forensic process by separating volatile and persistent data across system boundaries.

 

This strategy allows the subject to:

 

  • Contain incriminating tools, logs, or staged data entirely within a VM.
  • Avoid leaving artifacts on the host system's registry, file system, or memory.
  • Leverage disposable VMs to execute high-risk actions and erase evidence through snapshot rollback or VM deletion.
  • Evade host-based endpoint detection and response (EDR) tools that lack introspection into virtualized environments.
  • Run guest OSes in stealth configurations (e.g., nested VMs, portable hypervisors) to further frustrate attribution and recovery efforts.
AF026Log Modification

The subject intentionally alters or removes log entries, either at the host, application, or network level, in a deliberate attempt to conceal or misrepresent their actions. This behavior is typically executed to frustrate forensic reconstruction during an investigation and may include deletion of individual log lines, rewriting timestamps, or manipulating source IPs or usernames.

 

Subjects engaging in this technique may use native administrative tools (e.g., PowerShell, auditpol, journalctl), third-party log scrubbers, or direct file system access to tamper with .evtx, .log, or flat text logs.

AF035Native Application Misuse

Native application misuse occurs when a subject uses applications, services, binaries, scripts, or administrative utilities already present on a corporate endpoint or server to support, conceal, or facilitate an infringement without introducing new software. This may include exploring built-in operating system/command line tools, approved productivity applications, scripting environments, messaging clients, compression utilities, remote access components, cloud storage integrations, or endpoint management features to identify capabilities that can be repurposed for unauthorized outcomes.

 

The anti-forensics significance of this behavior is that the subject’s activity may appear consistent with legitimate operational use. Unlike the installation of unauthorized tools or overt malware, native application misuse relies on capabilities that are already trusted, allowed, or commonly present in the environment. This can make it difficult for investigators to distinguish legitimate activity from illegitimate activity without strong context, baseline comparison, command-line visibility, file access history, and correlation with the subject’s role, timing, intent, and surrounding investigative indicators.

 

A subject may deliberately elect to use a more complicated or convoluted method to achieve an illegitimate outcome when that method relies on native applications or approved services. In these cases, the subject may avoid introducing external software even where doing so would make the task faster, simpler, or more technically effective. The investigative significance is that the inefficient method may itself be purposeful: by operating through trusted tools already present on the endpoint, the subject reduces the number of distinct control violations, avoids software-installation indicators, and makes the activity harder to separate from legitimate business use.

 

This behavior may contribute to or facilitate an infringement by allowing a subject to stage, compress, transfer, hide, rename, encode, delete, alter, or access data using tools that do not independently appear suspicious. It may also support behavioral drift where repeated minor misuse of approved tools becomes normalized within a team or population, reducing the organization’s ability to identify meaningful deviations from acceptable use.

 

Investigative Relevance

Native application misuse should be assessed in relation to the subject’s role, normal working patterns, endpoint baseline, approved business processes, and the sensitivity of the data involved. Investigators should avoid treating native tool execution as inherently suspicious. The investigative concern arises when the subject uses ordinary capabilities in unusual combinations, at unusual times, against unusual data, or in ways that produce outcomes inconsistent with their duties.

 

Investigators should consider whether the subject’s chosen method appears unnecessarily complex when compared with easier external tooling options. Where a subject uses native applications in a slower, more manual, or more indirect manner, that choice may indicate an intent to preserve plausible legitimacy, avoid detection associated with unauthorized software, or obscure the behavioral sequence required to prove intent.

 

Relevant case logic may include:

  • A subject using built-in archive, scripting, browser, synchronization, or file management capabilities shortly before data loss, unauthorized access, or sabotage.
  • A subject performing repeated exploratory activity against native utilities, administrative consoles, local services, or corporate applications that are not required for their role.
  • A subject using approved tools to perform actions more commonly associated with staging, concealment, bulk collection, transfer, or destruction.
  • A subject’s activity remaining below traditional software-control thresholds because no new executable, installer, or external application was introduced.
  • A pattern of activity that appears individually explainable but collectively supports preparation, infringement, or anti-forensic concealment.

Example Behaviors

  • Using built-in compression or archive utilities to stage sensitive files before transfer.
  • Using PowerShell, shell scripts, command prompt, Terminal, or Windows Subsystem for Linux to enumerate, copy, encode, delete, or modify files.
  • Using corporate browsers, browser profiles, or approved extensions to access unsanctioned services without installing additional tools.
  • Using approved cloud synchronization clients to move files into locations that are less visible to standard file-share auditing.
  • Using native search, indexing, preview, or document history features to locate sensitive material outside normal workflow.
  • Using operating system rename, timestamp, metadata, recycle bin, clipboard, print-to-PDF, screenshot, or export functions to alter the appearance, location, or traceability of data.
  • Using existing remote access, collaboration, or screen-sharing services to view, transfer, or disclose information under the appearance of legitimate work activity.
  • Using scheduled tasks, launch agents, login items, shortcuts, or automation features already present on the endpoint to repeat activity without installing new software.
PR017.001Archive via Utility

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

PR017.002Archive via Library

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

PR017.003Archive via Compression

A subject uses utilities to compress collected data prior to exfiltration.

PR017.004Archive via Encryption

A subject uses utilities to encrypt collected data prior to exfiltration.

IF005.001Exfiltration via Installed Messaging Application

A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system.

PR003.011Installing Screen Sharing Software

A subject installs screen sharing software which can be used to capture images or other information from a target system.

PR003.010Installing RDP Clients

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

PR003.009Installing FTP Clients

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

PR003.008Installing SSH Clients

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

PR003.007Installing Messenger Applications

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

PR003.006Installing Note-Taking Applications

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

PR003.005Installing Cloud Storage Applications

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

PR003.003Installing Browsers

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

PR003.002Installing VPN Applications

A subject installs a VPN application that allows them to tunnel their traffic.

PR003.001Installing Virtual Machines

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

IF009.002Inappropriate Software

A subject installs software that is not considered appropriate by the organization.

IF009.001Unwanted Software

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.

IF002.006Exfiltration via USB to USB Data Transfer

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

IF004.004Exfiltration via Screen Sharing Software

A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer.

PR006.004Security Enumeration via Network Activity

A subject attempts to identify security software by monitoring network traffic.

AF022.001Use of a Virtual Machine

The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.

AF022.002Use of Windows Subsystem for Linux (WSL)

The subject leverages Windows Subsystem for Linux (WSL) to contain forensic artifacts within a Linux-like runtime environment embedded in Windows. By operating inside WSL, the subject avoids writing sensitive data, tool activity, or command history to traditional Windows locations, significantly reducing visibility to host-based forensic and security tools.

 

WSL creates a logical Linux environment that appears separate from the Windows file system. Although some host-guest integration exists, activity within WSL often bypasses standard Windows event logging, registry updates, and process tracking. This allows the subject to execute scripts, use Unix-native tools, stage exfiltration, or decrypt payloads with minimal footprint on the host.

 

Example Scenarios:

 

  • The subject downloads and processes sensitive files inside the WSL environment using native Linux tools (e.g., scp, gpg, rsync), preventing access and modification timestamps from appearing in Windows Explorer or standard audit logs.
  • A subject extracts and stages exfiltration material in /mnt/c within WSL, using symbolic links and Linux file permissions to obscure its presence from Windows search and indexing services.
  • WSL is used to execute recon and credential-harvesting scripts (e.g., nmap, hydra, ssh enumeration tools), with no execution trace in Windows Event Logs.
  • Upon completion of activity, the subject deletes the WSL distribution, leaving minimal residue on the host system—especially if no antivirus or EDR coverage extends into the WSL layer.
PR003.012Installation of Dark Web-Capable Browsers

The subject installs a browser capable of accessing anonymity networks, such as the Tor Browser (used for .onion sites), I2P Router Console, or Freenet, as part of preparation for covert research, anonymous communication, or unmonitored data exchange. This behavior may support future infringement by enabling non-attributable activity outside sanctioned IT controls.

 

Installation of the Tor Browser Bundle typically involves downloading a signed executable or compressed package from https://www.torproject.org, executing an installer that unpacks a portable browser (a custom-hardened Firefox variant), and launching start-tor-browser.exe—which spawns both the Tor daemon (tor.exe) and the browser instance (firefox.exe) in a sandboxed environment. Configuration files such as torrc may be modified to enable pluggable transports (e.g., obfs4, meek) designed to evade deep packet inspection (DPI) or proxy enforcement.

 

In environments with proxy filtering, the subject may attempt to chain Tor through bridge relays or VPNs, obfuscate traffic using SOCKS5 tunneling, or execute from non-standard directories (e.g., cloud-sync folders, external volumes). Some subjects bypass endpoint controls entirely by booting into live-operating systems (e.g., Tails, Whonix) which route all system traffic through Tor by default and leave minimal forensic artifacts on host storage.

 

This installation is rarely accidental and often coincides with other policy evasions or drift indicators. The presence of anonymizing tools—even in dormant form—warrants scrutiny as a preparatory indicator linked to potential data exfiltration, credential harvesting, or external coordination.

IF027.004Remote Access Tool (RAT) Deployment

The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.

 

RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). 

 

Functionality typically includes:

 

  • Full GUI or shell access
  • File system interaction
  • Screenshot and webcam capture
  • Credential harvesting
  • Process and registry manipulation
  • Optional keylogging and persistence modules

 

Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (mshta, rundll32). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.