Application Whitelisting

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject can install software on a device without restriction.

A subject can leverage software approved for installation or software that is already installed.

A subject conducts a scan of a network to identify additional systems, or services running on those systems.

The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity.

The subject uses a virtual machine (VM) to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.

The subject installs and uses an unapproved VPN client, potentially violating organizational policy. By using a VPN service not controlled by the organization, the subject can bypass security controls, reducing the security team’s visibility into network activity conducted through the unauthorized VPN. This could lead to significant security risks, as monitoring and detection mechanisms are circumvented.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject uses utilities to compress collected data prior to exfiltration.

A subject uses utilities to encrypt collected data prior to exfiltration.

A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system.

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

A subject installs a VPN application that allows them to tunnel their traffic.

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

A subject installs screen sharing software which can be used to capture images or other information from a target system.

A subject has access to or can install screen sharing software which can be used to capture images or other information from a target system.

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):

• hxxps://www.evernote[.]com
• hxxps://keep.google[.]com
• hxxps://www.notion[.]so
• hxxps://www.onenote[.]com
• hxxps://notebook.zoho[.]com

A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer.

A subject attempts to identify security software by monitoring network traffic.

A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.

The tripwire software monitors various aspects of the endpoint to detect potential investigations:

• Security Tool Detection: It scans running processes and monitors new files or services for signatures of known security tools, such as antivirus programs, forensic tools, and Endpoint Detection and Response (EDR) systems.
• File and System Access: It tracks access to critical files or system directories (e.g., system logs, registry entries) commonly accessed during security investigations. Attempts to open or read sensitive files can trigger an alert.
• Network Traffic Analysis: The software analyzes network traffic to identify unusual patterns, including connections to Security Operations Centers (SOC) or the blocking of command-and-control servers by network security controls.
• User and System Behavior: It observes system behavior and monitors logs (such as event logs) that indicate an investigation is in progress, such as switching to an administrative account or modifying security settings (e.g., enabling disk encryption, changing firewall rules).

Upon detecting security activity, the tripwire can initiate various evasive responses:

• Alert the Subject: It covertly sends an alert to an external server controlled by the subject, using common system tools (e.g., curl, wget, or HTTP requests).
• Modify Endpoint Behavior: It can terminate malicious processes, erase evidence (e.g., logs, browser history, specific files), or restore system and network configurations to conceal signs of tampering.

A subject uses image steganography to hide data in an image, to exfiltrate that data and to hide the act of exfiltration.

Image steganography methods can be categorised based on how data is embedded within an image. These methods vary in capacity (amount of data stored), detectability (resistance to steganalysis), and robustness (resistance to compression or modification). Below are the primary techniques used:

Least Significant Bit (LSB) Steganography

• One of the most common and simple methods.
• Modifies the least significant bits (LSBs) of pixel values to encode secret data.
• Minimal visual impact since changes occur in the lowest bit planes.

How it works:

• Each pixel in an image consists of three color channels (Red, Green, and Blue).
• The LSB of each channel is replaced with bits from the hidden message.

Example:

• Original pixel: (10101100, 11011010, 11101101)
• After encoding: (10101101, 11011010, 11101100)
• Only minor changes, making detection difficult.

Advantages:

• High capacity when applied to all three channels.
• Simple and easy to implement.

Disadvantages:

• Highly susceptible to detection and compression (JPEG compression removes LSB changes).
• Easily detected by statistical analysis methods.

Masking and Filtering Steganography

• Works similarly to watermarking by altering the luminance or contrast of an image.
• Best suited for lossless formats like BMP and PNG, not JPEG.

How it works:

• Hidden data is embedded in textured or edge-rich areas to avoid easy detection.
• Modifies pixel intensity slightly, making it harder to detect through simple LSB analysis.

Advantages:

• More robust than LSB against lossy compression and scaling.
• Works well for grayscale and color images.

Disadvantages:

• Lower capacity than LSB.
• More complex to implement.
   

Transform Domain Steganography

• Instead of modifying pixel values directly, this technique embeds data in frequency components after applying a mathematical transformation.

Types of Transform Domain Methods:

a. Discrete Cosine Transform (DCT) Steganography

• Used in JPEG images, where data is embedded in DCT coefficients instead of pixels.
• Common algorithm: F5 steganography (JSteg is an older, less secure method).

How it works:

• The image is converted to frequency domain using DCT.
• The hidden data is embedded in the mid-frequency DCT coefficients to avoid detection.
• The image is recompressed using JPEG encoding.

Advantages:

• Resistant to LSB steganalysis.
• Works with JPEG, making it more practical.

Disadvantages:

• Lower data capacity than LSB.
• Can be detected by statistical steganalysis.

b. Discrete Wavelet Transform (DWT) Steganography

• Uses wavelet transformation to embed data in high or low-frequency components.

How it works:

• The image is broken into multiple frequency bands using DWT.
• Data is embedded in high-frequency coefficients, ensuring robustness.
• Common in medical image steganography for secure data transmission.

Advantages:

• More robust against compression and noise than DCT.
• Can embed more data than traditional DCT methods.

Disadvantages:

• Requires more complex computation.
• Can be detected by advanced steganalysis tools.

c. Fourier Transform-Based Steganography

• Uses Fast Fourier Transform (FFT) to embed secret data in the frequency spectrum.
• More resistant to image processing operations like scaling and rotation.

Advantages:

• High robustness.
• Harder to detect using common LSB-based analysis.

Disadvantages:

• Requires complex processing.
• Limited in data capacity.

Palette-Based and Color Modification Techniques

a. Palette-Based Steganography (GIF, PNG)

• Modifies indexed color tables instead of pixels.
• Works by shifting palette entries in GIF or PNG images.

Advantages:

• No direct pixel modifications, making it hard to detect visually.

Disadvantages:

• Can be detected by comparing original and modified color palettes.
• Limited to certain file formats.

b. Alpha Channel Manipulation

• Uses transparency layers in images (e.g., PNG with alpha channels) to store hidden data.

Advantages:

• Harder to detect in images with multiple layers.

Disadvantages:

• Only works in formats supporting alpha transparency (PNG, TIFF).

Edge-Based and Texture-Based Steganography

a. Edge Detection Steganography

• Embeds data only in edge regions of an image, avoiding smooth areas.
• Uses Canny edge detection or similar algorithms.

Advantages:

• Harder to detect using basic LSB analysis.
• Can withstand minor modifications.

Disadvantages:

• Requires pre-processing.
• Lower capacity than LSB.

b. Patchwork Algorithm

• Uses redundant patterns to embed data, making detection harder.
• Works well for texture-rich images.

Advantages:

• High resistance to compression and cropping.

Disadvantages:

• Complex encoding and decoding process.

Spread Spectrum and Noise-Based Techniques

a. Spread Spectrum Steganography

• Mimics radio communication techniques, distributing data across the entire image.
• Uses pseudo-random noise patterns to hide data.

Advantages:

• Harder to detect due to randomness.

Disadvantages:

• Lower data capacity.

b. Statistical Steganography

• Alters color distributions or histogram properties to encode data.
• Ensures changes remain within natural variations.

Advantages:

• Very stealthy and hard to detect.

Disadvantages:

• Limited data capacity.

Adaptive and AI-Based Steganography

• Uses machine learning to optimize embedding locations.
• Adaptive algorithms select least noticeable areas dynamically.

Advantages:

• Extremely stealthy and resistant to detection.

Disadvantages:

• Requires computational power.

Comparison Table of Image Steganography Methods

A subject may employ a Python-based listening service to exfiltrate organizational data, typically as part of a self-initiated or premeditated breach. Python’s accessibility and versatility make it a powerful tool for creating custom scripts capable of transmitting sensitive data to external or unauthorized internal systems.

In this infringement method, the subject configures a Python script—often hosted externally or on a covert internal system—to listen for incoming connections. A complementary script, running within the organization’s network (such as on a corporate laptop), transmits sensitive files or data streams to the listening service using common protocols such as HTTP or TCP, or via more covert channels including DNS tunneling, ICMP, or steganographic methods. Publicly available tools such as PyExfil can facilitate these operations, offering modular capabilities for exfiltrating data across multiple vectors.

Examples of Use:

• A user sets up a lightweight Python HTTP listener on a personal VPS and writes a Python script to send confidential client records over HTTPS.
• A developer leverages a custom Python socket script to transfer log data to a system outside the organization's network, circumventing monitoring tools.
• An insider adapts an open-source exfiltration framework like PyExfil to send data out via DNS queries to a registered domain.

Detection Considerations:

• Monitor for local Python processes opening network sockets or binding to uncommon ports.
• Generate alerts on outbound connections to unfamiliar IP addresses or those exhibiting anomalous traffic patterns.
• Utilize endpoint detection and response (EDR) solutions to flag scripting activity involving file access and external communications.
• Inspect Unified Logs, network flow data, and system audit trails for signs of unauthorized data movement or execution of custom scripts.

Kerberoasting is a technique that can be exploited by a subject to escalate privileges and gain unauthorized access to sensitive systems within a network. From the perspective of a subject—who may be a low-privileged user with legitimate access to the network—the attack takes advantage of weaknesses in the Kerberos authentication protocol used by Active Directory (AD).

Kerberos Authentication Process

In a Kerberos-based network (like those using Active Directory), clients—users, computers, or services—authenticate to services using service tickets. When a client wants to access a service (e.g., a file server or email service), it requests a service ticket from the Ticket Granting Service (TGS). This request is made using the Service Principal Name (SPN) of the target service.

The TGS then issues a service ticket containing the hashed credentials (password) of the service account associated with that SPN. These credentials are encrypted in the service ticket, and the client can present the ticket to the service to authenticate.

Subject Requesting Service Tickets

A subject, typically a domain user with limited privileges, can exploit this process by requesting service tickets for service accounts running critical or high-privilege services, such as domain controllers or admin-level service accounts. These accounts are often associated with SPNs in Active Directory.

The subject can identify these SPNs—often for high-value targets like SQL Server, Exchange, or other administrative services—by querying the domain or using enumeration tools. Once these SPNs are identified, the subject can request service tickets for these service accounts from the TGS.

Cracking the Service Tickets

The key aspect of the Kerberoasting attack is that the service tickets contain hashed credentials of the service account. If these service accounts use weak, easily guessable passwords, the subject can extract the service tickets and attempt to crack the hashes offline using tools like Hashcat or John the Ripper.

Since these passwords are typically not subject to regular user password policies (i.e., they may not be as complex), weak or easily cracked passwords are a prime target for the subject.

Privilege Escalation and Unauthorized Access

Once the subject successfully cracks the password of a service account, they can use the credentials to gain elevated privileges. For example:

• If the cracked service account belongs to a high-privilege service (e.g., Domain Admins or Enterprise Admins), the subject can use these credentials to access systems, services, and parts of the network they would not ordinarily be permitted to access. This could include sensitive files, servers, or even Active Directory itself.
• The subject can use these credentials to move laterally within the network, expanding their access to additional systems that are typically restricted to high-privilege accounts.
• With administrative-level access, the subject can make changes to critical systems, alter configurations, or install malicious software. This could lead to further insider events, such as data exfiltration, malware deployment, or even persistent backdoors for ongoing unauthorized access.

Reconnaissance and Exploitation

The subject can perform additional reconnaissance within the network to identify other high-privilege accounts and services associated with service accounts. They can continue requesting service tickets for additional SPNs and cracking any other weak passwords they find, gradually escalating their access to more critical systems.

With broad access, the subject may also attempt to manipulate access controls, elevate privileges further, or carry out malicious actions undetected. This provides a potential stepping stone to more serious insider threats and an expanded attack surface for other actors.

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

Characteristics

• Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
• May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
• Often configured to throttle resource usage during business hours to evade human and telemetry detection.
• Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
• Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
• Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.