ITM is an open framework - Submit your contributions now.

Preventions

No Ready System-Level Mitigation

Restrict Access to Administrative Privileges

Enforce an Acceptable Use Policy

Enforce a Social Media Policy

Install an Anti-Virus Solution

Install a Web Proxy Solution

Restrict Access to Registry Editor

Enforce File Permissions

Prohibition of Devices On-site

Physical Access Controls

End-User Security Awareness Training

Pre-Employment Background Checks

Disable Printing, Windows

Application Whitelisting

Enforce a Data Classification Policy

Prohibit Email Auto-Forwarding to External Domains, Exchange

Network Intrusion Prevention Systems

Data Loss Prevention Solution

DNS Filtering

Internal Whistleblowing

Access Reviews

Employee Off-boarding Process

Full Disk Encryption

Restrict Mobile Clipboard via Intune App Protection Policies

Financial Approval Process

Corporate Card Spending Limits

Enterprise-Managed Web Browsers

Bootloader Password

Next-Generation Firewalls

Native Anti-Tampering Protections

Protocol Allow Listing

Restrict Disc Media Mounting, Group Policy

Restrict Floppy Drive Mounting, Group Policy

Restrict Removable Disk Mounting, Group Policy

Insider Threat Awareness Training

Employee Mental Health & Support Program

Network Access Control (NAC)

Mobile Device Management (MDM)

Employee Vulnerability Support Program

Restrict Windows System Time Modification

Windows Time Service Synchronization

Exchange Restrict Outbound Emails via Recipient Domain

Regulation Awareness Training

Implement MIP Sensitivity Labels

Privileged Access Management (PAM)

Managerial Approval

Social Media Screening

Employment Reference Checks

Criminal Background Checks

Government-Issued ID Verification

Human Resources Collaboration for Early Threat Detection

Enforce Multi-Factor Authentication (MFA)

Azure Conditional Access Policies

Structured Request Channels for Operational Needs

Consistent Enforcement of Minor Violations

ID: PV018
Created: 01st June 2024
Updated: 24th July 2024
Contributor: The ITM Team

Network Intrusion Prevention Systems

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

Sections

ID	Name	Description
ME006	Web Access	A subject can access the web with an organization device.
ME009	FTP Servers	A subject is able to access external FTP servers.
ME010	SSH Servers	A subject is able to access external SSH servers.
PR021	Network Scanning	A subject conducts a scan of a network to identify additional systems, or services running on those systems.
IF020	Unauthorized VPN Client	The subject installs and uses an unapproved VPN client, potentially violating organizational policy. By using a VPN service not controlled by the organization, the subject can bypass security controls, reducing the security team’s visibility into network activity conducted through the unauthorized VPN. This could lead to significant security risks, as monitoring and detection mechanisms are circumvented.
PR026	Remote Desktop (RDP)	The subject initiates configuration or usage of Remote Desktop Protocol (RDP) to enable remote control of an endpoint or server, typically for purposes not sanctioned by the organization. This activity may include enabling RDP settings through system configuration, altering firewall rules, adding users to RDP groups, or initiating browser-based remote access sessions. While RDP is commonly used for legitimate administrative and support purposes, its unauthorized configuration is a well-documented preparatory behavior preceding data exfiltration, sabotage, or persistent unauthorized access. RDP can be enabled through local system settings, remote management tools, or even web-based services that proxy or tunnel RDP traffic through HTTPS. Subjects may configure RDP access for themselves, for a secondary device, or to facilitate third-party (external) involvement in insider threat activities.
IF011.001	Intentionally Weakening Network Security Controls For a Third Party	The subject intentionally weakens or bypasses network security controls for a third party, such as providing credentials or disabling security controls.
IF004.006	Exfiltration via Python Listening Service	A subject may employ a Python-based listening service to exfiltrate organizational data, typically as part of a self-initiated or premeditated breach. Python’s accessibility and versatility make it a powerful tool for creating custom scripts capable of transmitting sensitive data to external or unauthorized internal systems. In this infringement method, the subject configures a Python script—often hosted externally or on a covert internal system—to listen for incoming connections. A complementary script, running within the organization’s network (such as on a corporate laptop), transmits sensitive files or data streams to the listening service using common protocols such as HTTP or TCP, or via more covert channels including DNS tunneling, ICMP, or steganographic methods. Publicly available tools such as PyExfil can facilitate these operations, offering modular capabilities for exfiltrating data across multiple vectors. Examples of Use: A user sets up a lightweight Python HTTP listener on a personal VPS and writes a Python script to send confidential client records over HTTPS. A developer leverages a custom Python socket script to transfer log data to a system outside the organization's network, circumventing monitoring tools. An insider adapts an open-source exfiltration framework like PyExfil to send data out via DNS queries to a registered domain. Detection Considerations: Monitor for local Python processes opening network sockets or binding to uncommon ports. Generate alerts on outbound connections to unfamiliar IP addresses or those exhibiting anomalous traffic patterns. Utilize endpoint detection and response (EDR) solutions to flag scripting activity involving file access and external communications. Inspect Unified Logs, network flow data, and system audit trails for signs of unauthorized data movement or execution of custom scripts.
IF009.006	Installing Crypto Mining Software	The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks. Characteristics Deploys CPU-intensive or GPU-intensive processes (e.g., `xmrig`, `ethminer`, `phoenixminer`, `nicehash`) on endpoints, servers, or cloud infrastructure without approval. May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes. Often configured to throttle resource usage during business hours to evade human and telemetry detection. Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL). Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions. Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls. Example Scenario A subject installs a customized `xmrig` Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.
PR026.001	Remote Desktop (RDP) Access on Windows Systems	The subject initiates configuration changes to enable Remote Desktop Protocol (RDP) or Remote Assistance on a Windows system, typically through the System Properties dialog, registry modifications, or local group policy. This behavior may indicate preparatory actions to grant unauthorized remote access to the endpoint, whether to an external actor, co-conspirator, or secondary account. Characteristics Subject opens the Remote tab within the System Properties dialog (`SystemPropertiesRemote.exe`) and enables: Remote Assistance Remote Desktop May configure additional RDP-related settings such as: Allowing connections from any version of RDP clients (less secure) Adding specific users to the `Remote Desktop Users group` Modifying Group Policy to allow RDP access Often accompanied by: Firewall rule changes to allow inbound RDP (`TCP 3389`) Creation of local accounts or service accounts with RDP permissions Disabling sleep, lock, or idle timeout settings to keep the system continuously accessible In some cases, used to stage access prior to file exfiltration, remote control handoff, or backdoor persistence. Example Scenario A subject accesses the Remote tab via SystemPropertiesRemote.exe and enables Remote Desktop, selecting the “Allow connections from computers running any version of Remote Desktop” option. They add a personal email-based Microsoft account to the Remote Desktop Users group. No help desk ticket or change request is submitted. Over the following days, successful RDP logins are observed from an IP address outside of corporate VPN boundaries, correlating with a data transfer spike.