Preventions
- Home
- - Preventions
- -PV049
- ID: PV049
- Created: 23rd April 2025
- Updated: 23rd April 2025
- Platforms: Windows, Linux, MacOS,
- Contributor: The ITM Team
Managerial Approval
The process for having software installed on a corporate endpoint by IT should require approval from the employee's line manager to ensure the request is legitimate and appropriate.
Sections
ID | Name | Description |
---|---|---|
PR010 | Software or Access Request | A subject may make a request for software (such as an RDP, SSH or FTP client) or access (such as USB mass storage device access) to be installed or enabled on a target system, to facilitate the infringement. |
PR027.002 | Impersonation via Collaboration and Communication Tools | The subject creates, modifies, or misuses digital identities within internal communication or collaboration environments—such as email, chat platforms (e.g., Slack, Microsoft Teams), or shared document spaces—to impersonate trusted individuals or roles. This tactic is used to gain access, issue instructions, extract sensitive data, or manipulate workflows under the guise of legitimacy.
Impersonation in this context can be achieved through:
The impersonation may be part of early-stage insider coordination, privilege escalation attempts, or subtle reconnaissance designed to map workflows, bypass controls, or test detection thresholds.
Example Scenarios:
|
AF022.001 | Use of a Virtual Machine | The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations. By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities. |