Restrict Access to Administrative Privileges

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

A subject may read the Windows registry using Registry Viewer or PowerShell to help them gain more information about the system, such as keys related to security controls.

A subject has privileged access to devices, systems or services that hold sensitive information.

A subject attempts to identify security software or other surveillance software/services on a target system. 

A subject uses a messaging application to exfiltrate data through messages or uploaded media.

A subject intentionally provides system or data access to a third party that is not authorized to access it.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

A subject can install software on a device without restriction.

A subject has the ability to access the system startup firmware of a target system.

A subject clears operating system logs to hide evidence of their activities.

A subject may attempt to modify log files, as opposed to deleting them, to remove evidence of their actions.

A subject may delete user accounts to obscure their activities and delete all files associated with that user.

The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity.

A subject uses a mechanism to increase or add privileges assigned to a user account under their control. This enables them to access systems, services, or data that is not possible with their standard permissions.

A subject uses a mechanism to decrease or remove the privileges assigned to a user account under their control. This may represent an anti-forensics technique where the subject attempts to obscure previously held privileges that could associate them with activity relating to an infringement.

A subject deletes a shadow copy on a Windows system. This may represent an anti-forensics technique where the intent is to deny access to artifacts of investigative value that may be stored within the shadow copy.

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

A subject installs a VPN application that allows them to tunnel their traffic.

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

A subject can install unapproved browser extensions that provide additional features and functionality to the browser.

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

A subject installs screen sharing software which can be used to capture images or other information from a target system.

A subject attempts to identify security software through keys and values within the Windows registry.

A subject observes running processes on the target system in an attempt to identify any security agents or software that is running.

A subject attempts to identify security software on a target system by looking through the file system to identify relevant directories or files.

A subject has the ability to put the target system into “Target Disk Mode” (MacOS).

A subject clears Windows Event logs to conceal evidence of their activities.

Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events.

The logs are stored in C:/WINDOWS/system32/config.

Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges.

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

A subject has access to or can install screen sharing software which can be used to capture images or other information from a target system.

A subject abuses their access or conducts unapproved changes to uninstall a security agent that is present on a system.

A subject abuses their access or conducts unapproved changes to impair the effectiveness of a security agent, such as causing it to crash or killing any associated system processes.

A subject abuses their access or conducts unapproved changes by uninstalling the anti-virus solution installed on a system.

When a Mac is booted into Target Disk Mode (by powering the computer on whilst holding the ‘T’ key), it acts as an external storage device, accessible from another computer via Thunderbolt, USB, or FireWire connections. A subject with physical access to the computer, and the ability to control boot options, can copy any data present on the target disk, bypassing the need to authenticate to the target computer.

The subject makes unauthorized changes to access controls resulting in harm. Examples include resetting/changing passwords, locking accounts, or deleting accounts.

The subject deletes or modifies Windows Registry keys to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting these keys can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system.

The subject deletes or modifies Windows Registry key values to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting key values can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system.

The subject deletes IT resources resulting in harm to the organization. Examples include virtual machines, virtual disk images, user accounts, and DNS records.

The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.

A subject attempts to identify security software by monitoring network traffic.

A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.

The tripwire software monitors various aspects of the endpoint to detect potential investigations:

• Security Tool Detection: It scans running processes and monitors new files or services for signatures of known security tools, such as antivirus programs, forensic tools, and Endpoint Detection and Response (EDR) systems.
• File and System Access: It tracks access to critical files or system directories (e.g., system logs, registry entries) commonly accessed during security investigations. Attempts to open or read sensitive files can trigger an alert.
• Network Traffic Analysis: The software analyzes network traffic to identify unusual patterns, including connections to Security Operations Centers (SOC) or the blocking of command-and-control servers by network security controls.
• User and System Behavior: It observes system behavior and monitors logs (such as event logs) that indicate an investigation is in progress, such as switching to an administrative account or modifying security settings (e.g., enabling disk encryption, changing firewall rules).

Upon detecting security activity, the tripwire can initiate various evasive responses:

• Alert the Subject: It covertly sends an alert to an external server controlled by the subject, using common system tools (e.g., curl, wget, or HTTP requests).
• Modify Endpoint Behavior: It can terminate malicious processes, erase evidence (e.g., logs, browser history, specific files), or restore system and network configurations to conceal signs of tampering.

The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.

This tripwire API is embedded within various parts of the environment:

• Cloud Services: It hooks into serverless functions, containers, or virtual machines to monitor access and activity.
• Applications: It integrates into custom-built web applications to observe access to certain URLs, paths, or endpoints.
• Infrastructure Services: It monitors cloud management APIs (e.g., AWS, Azure, Google Cloud) for unusual activities indicative of an investigation.

Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:

• Known Security Tools: Scanning for network traffic signatures from common security tools (like Nessus or nmap) or patterns associated with incident response teams.
• Unusual Access: Detecting attempts from IP ranges linked to internal security teams or cloud provider security operations centers.
• System Changes: Watching for actions typical of an investigation, such as new logging mechanisms, alterations to IAM roles, or the activation of cloud monitoring services.

The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.

Upon detecting activity, the API tripwire can take immediate evasive actions:

• Alert the Subject: It sends covert alerts to an external server controlled by the subject, through an HTTP request, encrypted email, or messaging platform.
• Suspend Malicious Activity: If integrated into a malicious workflow, the API can halt ongoing data exfiltration or malware processes.
• Clean Up Evidence: It triggers scripts to delete logs, clear files, or reset system configurations to hinder forensic analysis.
• Feign Normalcy: It restores access controls and system settings to their default state, masking any signs of unusual activity.

A subject creates an email collection file such as a Personal Storage Table (PST) file or an MBOX file to copy an entire mailbox or subset of a mailbox containing sensitive information.

A subject uses image steganography to hide data in an image, to exfiltrate that data and to hide the act of exfiltration.

Image steganography methods can be categorised based on how data is embedded within an image. These methods vary in capacity (amount of data stored), detectability (resistance to steganalysis), and robustness (resistance to compression or modification). Below are the primary techniques used:

Least Significant Bit (LSB) Steganography

• One of the most common and simple methods.
• Modifies the least significant bits (LSBs) of pixel values to encode secret data.
• Minimal visual impact since changes occur in the lowest bit planes.

How it works:

• Each pixel in an image consists of three color channels (Red, Green, and Blue).
• The LSB of each channel is replaced with bits from the hidden message.

Example:

• Original pixel: (10101100, 11011010, 11101101)
• After encoding: (10101101, 11011010, 11101100)
• Only minor changes, making detection difficult.

Advantages:

• High capacity when applied to all three channels.
• Simple and easy to implement.

Disadvantages:

• Highly susceptible to detection and compression (JPEG compression removes LSB changes).
• Easily detected by statistical analysis methods.

Masking and Filtering Steganography

• Works similarly to watermarking by altering the luminance or contrast of an image.
• Best suited for lossless formats like BMP and PNG, not JPEG.

How it works:

• Hidden data is embedded in textured or edge-rich areas to avoid easy detection.
• Modifies pixel intensity slightly, making it harder to detect through simple LSB analysis.

Advantages:

• More robust than LSB against lossy compression and scaling.
• Works well for grayscale and color images.

Disadvantages:

• Lower capacity than LSB.
• More complex to implement.
   

Transform Domain Steganography

• Instead of modifying pixel values directly, this technique embeds data in frequency components after applying a mathematical transformation.

Types of Transform Domain Methods:

a. Discrete Cosine Transform (DCT) Steganography

• Used in JPEG images, where data is embedded in DCT coefficients instead of pixels.
• Common algorithm: F5 steganography (JSteg is an older, less secure method).

How it works:

• The image is converted to frequency domain using DCT.
• The hidden data is embedded in the mid-frequency DCT coefficients to avoid detection.
• The image is recompressed using JPEG encoding.

Advantages:

• Resistant to LSB steganalysis.
• Works with JPEG, making it more practical.

Disadvantages:

• Lower data capacity than LSB.
• Can be detected by statistical steganalysis.

b. Discrete Wavelet Transform (DWT) Steganography

• Uses wavelet transformation to embed data in high or low-frequency components.

How it works:

• The image is broken into multiple frequency bands using DWT.
• Data is embedded in high-frequency coefficients, ensuring robustness.
• Common in medical image steganography for secure data transmission.

Advantages:

• More robust against compression and noise than DCT.
• Can embed more data than traditional DCT methods.

Disadvantages:

• Requires more complex computation.
• Can be detected by advanced steganalysis tools.

c. Fourier Transform-Based Steganography

• Uses Fast Fourier Transform (FFT) to embed secret data in the frequency spectrum.
• More resistant to image processing operations like scaling and rotation.

Advantages:

• High robustness.
• Harder to detect using common LSB-based analysis.

Disadvantages:

• Requires complex processing.
• Limited in data capacity.

Palette-Based and Color Modification Techniques

a. Palette-Based Steganography (GIF, PNG)

• Modifies indexed color tables instead of pixels.
• Works by shifting palette entries in GIF or PNG images.

Advantages:

• No direct pixel modifications, making it hard to detect visually.

Disadvantages:

• Can be detected by comparing original and modified color palettes.
• Limited to certain file formats.

b. Alpha Channel Manipulation

• Uses transparency layers in images (e.g., PNG with alpha channels) to store hidden data.

Advantages:

• Harder to detect in images with multiple layers.

Disadvantages:

• Only works in formats supporting alpha transparency (PNG, TIFF).

Edge-Based and Texture-Based Steganography

a. Edge Detection Steganography

• Embeds data only in edge regions of an image, avoiding smooth areas.
• Uses Canny edge detection or similar algorithms.

Advantages:

• Harder to detect using basic LSB analysis.
• Can withstand minor modifications.

Disadvantages:

• Requires pre-processing.
• Lower capacity than LSB.

b. Patchwork Algorithm

• Uses redundant patterns to embed data, making detection harder.
• Works well for texture-rich images.

Advantages:

• High resistance to compression and cropping.

Disadvantages:

• Complex encoding and decoding process.

Spread Spectrum and Noise-Based Techniques

a. Spread Spectrum Steganography

• Mimics radio communication techniques, distributing data across the entire image.
• Uses pseudo-random noise patterns to hide data.

Advantages:

• Harder to detect due to randomness.

Disadvantages:

• Lower data capacity.

b. Statistical Steganography

• Alters color distributions or histogram properties to encode data.
• Ensures changes remain within natural variations.

Advantages:

• Very stealthy and hard to detect.

Disadvantages:

• Limited data capacity.

Adaptive and AI-Based Steganography

• Uses machine learning to optimize embedding locations.
• Adaptive algorithms select least noticeable areas dynamically.

Advantages:

• Extremely stealthy and resistant to detection.

Disadvantages:

• Requires computational power.

Comparison Table of Image Steganography Methods