Preventions
- Home
- - Preventions
- -PV002
- ID: PV002
- Created: 25th May 2024
- Updated: 25th May 2024
- Contributor: The ITM Team
Restrict Access to Administrative Privileges
The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.
Sections
ID | Name | Description |
---|---|---|
IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
PR001 | Read Windows Registry | A subject may read the Windows registry using Registry Viewer or PowerShell to help them gain more information about the system, such as keys related to security controls. |
ME007 | Privileged Access | A subject has privileged access to devices, systems or services that hold sensitive information. |
PR006 | Security Software Enumeration | A subject attempts to identify security software or other surveillance software/services on a target system. |
IF005 | Exfiltration via Messaging Applications | A subject uses a messaging application to exfiltrate data through messages or uploaded media. |
IF011 | Providing Access to a Unauthorized Third Party | A subject intentionally provides system or data access to a third party that is not authorized to access it. |
PR017 | Archive Data | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
PR005 | IT Ticketing System Exploration | A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information. |
ME002 | Unrestricted Software Installation | A subject can install software on a device without restriction. |
ME016 | System Startup Firmware Access | A subject has the ability to access the system startup firmware of a target system. |
AF002 | Clear Operating System Logs | A subject clears operating system logs to hide evidence of their activities. |
AF009 | Log Tampering | A subject may attempt to modify log files, as opposed to deleting them, to remove evidence of their actions. |
AF013 | Delete User Account | A subject may delete user accounts to obscure their activities and delete all files associated with that user. |
AF016 | Uninstalling Software | The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity. |
PR003.001 | Installing Virtual Machines | A subject installs a hypervisor that allows them to create and access virtual environments on a device. |
PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
PR003.003 | Installing Browsers | A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction. |
PR003.004 | Installing Browser Extensions | A subject can install unapproved browser extensions that provide additional features and functionality to the browser. |
PR003.005 | Installing Cloud Storage Applications | A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet. |
PR003.006 | Installing Note-Taking Applications | A subject installs an unapproved note taking application with the ability to sync notes across the Internet. |
PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
PR003.008 | Installing SSH Clients | A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network. |
PR003.009 | Installing FTP Clients | A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network. |
PR003.010 | Installing RDP Clients | A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network. |
PR003.011 | Installing Screen Sharing Software | A subject installs screen sharing software which can be used to capture images or other information from a target system. |
PR006.001 | Security Enumeration via Windows Registry | A subject attempts to identify security software through keys and values within the Windows registry. |
PR006.002 | Security Enumeration via Running Processes | A subject observes running processes on the target system in an attempt to identify any security agents or software that is running. |
PR006.003 | Security Enumeration via File System | A subject attempts to identify security software on a target system by looking through the file system to identify relevant directories or files. |
ME016.001 | Target Disk Mode Access | A subject has the ability to put the target system into “Target Disk Mode” (MacOS). |
AF002.001 | Clear Windows Event Logs | A subject clears Windows Event logs to conceal evidence of their activities. Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events. The logs are stored in Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges. |
AF013.001 | Delete Local Windows User | A subject may delete user accounts to obscure their activities and delete files and information associated with that user. |
AF013.002 | Delete Windows Active Directory User | A subject may delete user accounts to obscure their activities and delete files and information associated with that user. |
AF013.003 | Delete Local Linux User | A subject may delete user accounts to obscure their activities and delete files and information associated with that user. |
AF013.004 | Delete Local Mac User | A subject may delete user accounts to obscure their activities and delete files and information associated with that user. |
ME003.011 | Screen Sharing Software | A subject has access to or can install screen sharing software which can be used to capture images or other information from a target system. |
PR018.001 | Uninstalling a Security Agent | A subject abuses their access or conducts unapproved changes to uninstall a security agent that is present on a system. |
PR018.002 | Impairing a Security Agent | A subject abuses their access or conducts unapproved changes to impair the effectiveness of a security agent, such as causing it to crash or killing any associated system processes. |
PR018.005 | Uninstalling an Anti-Virus Solution | A subject abuses their access or conducts unapproved changes by uninstalling the anti-virus solution installed on a system. |
IF002.007 | Exfiltration via Target Disk Mode | When a Mac is booted into Target Disk Mode (by powering the computer on whilst holding the ‘T’ key), it acts as an external storage device, accessible from another computer via Thunderbolt, USB, or FireWire connections. A subject with physical access to the computer, and the ability to control boot options, can copy any data present on the target disk, bypassing the need to authenticate to the target computer. |
IF014.004 | Modification of Access Controls | The subject makes unauthorized changes to access controls resulting in harm. Examples include resetting/changing passwords, locking accounts, or deleting accounts. |
AF007.001 | Delete or Modify Registry Key | The subject deletes or modifies Windows Registry keys to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting these keys can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system. |
AF007.002 | Delete or Modify Registry Key Value | The subject deletes or modifies Windows Registry key values to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting key values can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system. |
IF014.006 | Deletion of Other IT Resources | The subject deletes IT resources resulting in harm to the organization. Examples include virtual machines, virtual disk images, user accounts, and DNS records. |
IF011.003 | Providing Unauthorized Access to a Collaboration Platform | The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account. |
PR006.004 | Security Enumeration via Network Activity | A subject attempts to identify security software by monitoring network traffic. |
AF018.001 | Endpoint Tripwires | A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.
The tripwire software monitors various aspects of the endpoint to detect potential investigations:
Upon detecting security activity, the tripwire can initiate various evasive responses:
|
AF018.002 | Environment Tripwires | The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.
This tripwire API is embedded within various parts of the environment:
Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:
The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.
Upon detecting activity, the API tripwire can take immediate evasive actions:
|