Detections
- Home
- - Detections
- -DT104
- ID: DT104
- Created: 22nd September 2024
- Updated: 22nd September 2024
- Contributor: The ITM Team
Leaver Watchlist
In relevant security tooling (such as a SIEM or EDR), a watchlist (also known as a reference set) should be used to monitor for any activity generated by accounts belonging to employees who have left the organization, as this is unexpected. This can help to ensure that the security team readily detects any unrevoked access or account usage.
This process must be in partnership with the Human Resources team, which should inform the security team when an individual leaves the organization (during an Employee Off-Boarding Process, see PV024), including their full and user account names. Ideally, this process should be automated to prevent any gaps in monitoring between the information being sent and the security team adding the name(s) to the watchlist. All format variations should be considered as individual entries in the watchlist to ensure accounts using different naming conventions will generate alerts, such as john.smith, john smith, john.smith@company.com, and jsmith.
False positives could occur if there is a legitimate reason for interaction with the account(s), such as actions conducted by IT staff.
Sections
ID | Name | Description |
---|---|---|
MT003 | Leaver | A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies. |
IF015 | Theft | A subject steals an item or items belonging to an organization, such as a corporate laptop or corporate mobile phone. |
AF024 | Account Misuse | The subject deliberately misuses account constructs to obscure identity, frustrate attribution, or undermine investigative visibility. This includes the use of shared, secondary, abandoned, or illicitly obtained accounts in ways that violate access integrity and complicate forensic analysis.
Unlike traditional infringement behaviors, account misuse in the anti-forensics context is not about the action itself—but about how identity is obfuscated or displaced to conceal that action. These behaviors sever the link between subject and activity, impeding both real-time detection and retrospective investigation.
Investigators encountering unexplainable log artifacts, attribution conflicts, or unexpected session collisions should assess whether account misuse is being used as a deliberate concealment tactic. Particular attention should be paid in environments lacking centralized identity governance or with known privilege sprawl.
Account misuse as an anti-forensics strategy often coexists with more overt infringements—enabling data exfiltration, sabotage, or policy evasion while preserving plausible deniability. As such, its detection is crucial to understanding subject intent, tracing activity with confidence, and restoring the chain of custody in incident response. |
IF015.001 | Theft of a Corporate Laptop | A subject steals a corporate laptop belonging to an organization. |
PR027.002 | Impersonation via Collaboration and Communication Tools | The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.
Impersonation in this context can be achieved through:
The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.
Example Scenarios:
|
AF024.001 | Account Obfuscation | The subject leverages multiple accounts under their control—each legitimate on its own—to distribute, disguise, or segment activity in a manner that defeats identity-based attribution. This technique, referred to as account obfuscation, is designed to frustrate forensic correlation between subject behavior and account usage.
Unlike role-sanctioned multi-account use (e.g., one account for user access, another for administrative tasks), account obfuscation involves the deliberate operational separation of actions across identities to conceal intent, evade controls, or introduce ambiguity. This may involve:
This behavior is often facilitated by weak identity governance, fragmented access models, or unmanaged role transitions. It is especially difficult to detect in environments where access provisioning is ad hoc, audit scopes are limited, or account correlation is not enforced at the SIEM or UAM level.
From an investigative standpoint, account obfuscation serves as a deliberate anti-forensics tactic—enabling subjects to operate with plausible deniability and complicating timeline reconstruction. Investigators should review cross-account behavior patterns, concurrent session overlaps, and role-permission inconsistencies when this technique is suspected. |
AF024.002 | Unauthorized Credential Use | The subject employs valid credentials that were obtained outside of sanctioned provisioning channels to conceal their identity or perform actions under a false or misleading identity. This behavior, categorized as unauthorized credential use, is distinct from traditional account compromise—it reflects insider-enabled misuse, not external intrusion.
Credentials may be acquired through casual observation (e.g., shoulder surfing or unlocked workstations), social engineering, prior access (e.g., retained credentials from a former role), or covert means such as password capture tools. In some cases, credentials may be voluntarily shared by a collaborator or acquired opportunistically from unmonitored or abandoned accounts.
This tactic allows the subject to dissociate their actions from their known identity, delay detection, and in some cases, redirect suspicion to another individual. When used within privileged or high-sensitivity environments, unauthorized credential use can enable significant harm while bypassing conventional identity-based controls and alerting mechanisms.
Unlike service account sharing or account obfuscation (which involve legitimate, active credentials assigned to the subject), this behavior revolves around unauthorized access to credentials not formally linked to the subject. Investigators should prioritize this sub-section when audit trails show activity under an identity that does not correspond to role expectations, known behavioral patterns, or device history.
Key forensic indicators include:
Unauthorized credential use is a high-risk concealment technique and often coincides with malicious or high-impact infringements. |