Installed Software via Registry

A subject installs software onto an organization-managed system without prior approval or outside sanctioned methods (e.g., centralized package management, internal software portals). This behavior spans a spectrum of risk - from seemingly benign installations (e.g., video games, personal browsers, media players) to unauthorized deployment of potentially harmful tools sourced from unvetted repositories or adversarial infrastructure.

The infringement may involve:

• Manual download and execution of installer packages
• Use of administrative access to bypass endpoint restrictions
• Cloning or compiling code from external code repositories such as GitHub

While some installations may appear harmless, unapproved software installs can represent a breakdown in configuration control and acceptable use. In high-risk scenarios, such software may introduce remote access mechanisms, data exfiltration capabilities, or other malware. Even benign cases signal behavioral drift, particularly when repeated or ignored, and can contribute to software sprawl, policy erosion, or eventual exploitation.

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

A subject can install software on a device without restriction.

The subject leverages virtualization technologies—including hypervisors and virtual machines—to obscure forensic artifacts, isolate malicious activity, or evade host-based monitoring. By conducting operations within a guest operating system, the subject reduces visibility to host-level security tools and complicates the forensic process by separating volatile and persistent data across system boundaries.

This strategy allows the subject to:

• Contain incriminating tools, logs, or staged data entirely within a VM.
• Avoid leaving artifacts on the host system's registry, file system, or memory.
• Leverage disposable VMs to execute high-risk actions and erase evidence through snapshot rollback or VM deletion.
• Evade host-based endpoint detection and response (EDR) tools that lack introspection into virtualized environments.
• Run guest OSes in stealth configurations (e.g., nested VMs, portable hypervisors) to further frustrate attribution and recovery efforts.

A subject introduces, modifies, or manages code within an organizational repository in a manner that compromises the integrity, security, governance, or intended function of the codebase. This includes the addition of unauthorized features, insecure or non-compliant implementations, malicious logic, or changes that alter system behavior outside approved processes or expectations.

These actions occur through legitimate development workflows, such as commits, pull requests, merges, or dependency updates, using access granted as part of the subject’s role. As a result, the activity often appears routine at the point of execution and may inherit implicit trust through standard development and deployment pipelines.

Codebase integrity compromise may manifest in multiple forms, including:

• Introduction of backdoors, logic bombs, or hidden functionality
• Deliberate or reckless creation of vulnerabilities or insecure code
• Implementation of features or changes that bypass product, security, or governance approval
• Manipulation of dependencies, packages, or third-party components
• Subtle degradation of system performance, reliability, or correctness
•  

The defining characteristic of this behavior is the misuse of trusted development access to alter the codebase in a way that undermines organisational control, security, or operational intent. The resulting impact may be immediate or delayed, with harmful effects often emerging only after deployment, integration, or specific runtime conditions are met.

A subject uses artificial intelligence systems to acquire knowledge and understanding that enables them to bypass controls, exploit systems, or perform actions outside of their legitimate business needs.

This behavior involves interacting with AI tools, such as browser-based assistants or integrated software features, to obtain explanations, procedural guidance, or technical instruction that can be directly applied within the organizational environment. Through iterative prompting, the subject refines their understanding, resolves uncertainties, and develops the capability required to execute actions they would not otherwise be able to perform.

Unlike traditional research methods, which rely on static sources and require independent interpretation, AI systems provide responsive, context-aware assistance that accelerates comprehension and reduces the effort required to translate knowledge into action. This allows subjects to overcome technical barriers quickly and operate beyond their expected level of expertise.

The defining characteristic of this behavior is the development of actionable capability through AI-assisted understanding, specifically where that capability can be used to defeat controls, circumvent safeguards, or misuse access. The subject is not simply gathering information, but actively building the means to act in a way that conflicts with organizational policy or intent.

This preparation technique may support a wide range of downstream behaviors across the matrix, including unauthorized access, data manipulation, process circumvention, or anti-forensic activity. The AI system functions as an on-demand technical guide, enabling the subject to operationalize intent without formal training or prior experience.

A subject installs software that is not considered appropriate by the organization.

The subject installs or enables software, scripts, or hardware devices designed to prevent systems from automatically locking, logging out, or entering sleep mode. This unauthorized action deliberately subverts security controls intended to protect unattended systems from unauthorized access.

Characteristics

• Circumvents policies enforcing session locks, idle timeouts, and mandatory logout periods.
• May involve third-party applications ("caffeine" tools), anti-idle scripts, or physical devices such as USB mouse jigglers.
• Typically deployed without organizational approval or awareness.
• Leaves systems continuously unlocked and accessible, undermining endpoint security and physical safeguards.
• Renders full disk encryption protections ineffective while the system remains powered and unlocked.
• Creates opportunities for unauthorized access, data exfiltration, or device compromise by malicious insiders or third parties.

Example Scenario

A subject installs unauthorized anti-sleep software on a corporate laptop to prevent automatic locking during idle periods. As a result, the device remains accessible even when left unattended in unsecured environments such as cafes, airports, or shared workspaces. This action bypasses mandatory screen-lock policies and renders full disk encryption protections ineffective, exposing sensitive organizational data to theft or compromise by malicious third parties who can physically access the unattended device.

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

Characteristics

• Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
• May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
• Often configured to throttle resource usage during business hours to evade human and telemetry detection.
• Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
• Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
• Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.

The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.

The subject retrieves files by syncing with cloud storage platforms such as OneDrive, Google Drive, or Dropbox. Files may be selectively synced or fully mirrored to the endpoint.

This method blends with legitimate enterprise workflows and may evade traditional download detection mechanisms, especially where cloud services are sanctioned. It also enables large-scale or continuous ingestion of data with minimal user interaction.

The subject retrieves files from enterprise or consumer messaging platforms such as Teams, Slack, or other collaboration tools. Files may be shared directly in chats, channels, or through integrated file storage components. 

Messaging platforms often operate as semi-trusted environments, particularly when enterprise-approved, allowing file transfers to blend with legitimate collaboration. Where personal or unsanctioned messaging platforms are used, visibility may be significantly reduced or absent.

The subject uses APIs or integrated applications (e.g., Git clients, SaaS integrations, or custom scripts) to pull files from external systems. This includes automated retrieval from repositories, data platforms, or third-party services.

This behavior is often tied to legitimate workflows but may be repurposed to extract or stage data at scale, particularly where API access is insufficiently monitored.