ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: PV077
  • Created: 22nd October 2025
  • Updated: 22nd October 2025
  • Contributor: David Larsen

Controlled Software Inventory Management

Maintain a centralized, enforceable inventory of all software permitted for use on enterprise-managed systems. Unauthorized or unmanaged software increases the risk of tool misuse, data movement, lateral exploitation, and unmonitored communication, each of which may enable or conceal insider activity.
 

A software inventory is not passive documentation; it is a dynamic enforcement boundary. Effective control requires both technical constraint (e.g., allowlisting) and structured visibility into what applications are deployed, by whom, and for what purpose.

Key Prevention Measures

  • Deploy endpoint management platforms capable of full software inventory visibility, such as Microsoft Intune, JAMF (macOS), Tanium, CrowdStrike Falcon, or ManageEngine Endpoint Central.
  • Enforce application allowlisting using tools like Microsoft Defender Application Control (WDAC), AppLocker, or third-party EDR integrations.
  • Maintain a centralized, queryable list of all approved applications, including version ranges, installation context (user vs. system), and business justification.
  • Log every software install event with metadata including hostname, username, install timestamp, and installation method.
  • Require all application installations to originate from approved enterprise repositories or deployment platforms (e.g., SCCM, Intune, JAMF).
  • Prohibit local administrator rights for population members except under time-limited, auditable exceptions.
  • Detect and flag installation of encryption tools, anonymizers, remote desktop clients, or developer toolchains on non-technical endpoints.
  • Conduct monthly reconciliations between installed applications and the approved software list, using EDR or inventory tools.
  • Investigate installation of communication platforms not sanctioned by enterprise IT (e.g., Signal, Telegram Desktop, third-party file transfer clients).
  • Automatically remove or isolate endpoints found running prohibited software, and require investigation before rejoining corporate networks.

 

Investigator Considerations

  • Software inventory logs are a high-value artifact for understanding preparatory behavior, such as staging exfiltration tools or side-channel communication clients.
  • Discrepancies between allowed software and observed installations often indicate circumvention of standard IT channels.
  • Repeated installations of the same unapproved tool across multiple devices or subjects may reflect behavioral drift or informal tool adoption within a team.
  • Software changes shortly before a known incident window may indicate staging activity, particularly if correlated with anomalous file or network activity.

Sections

ID Name Description
IF009Installing Unapproved Software

A subject installs software onto an organization-managed system without prior approval or outside sanctioned methods (e.g., centralized package management, internal software portals). This behavior spans a spectrum of risk - from seemingly benign installations (e.g., video games, personal browsers, media players) to unauthorized deployment of potentially harmful tools sourced from unvetted repositories or adversarial infrastructure.

 

The infringement may involve:

 

  • Manual download and execution of installer packages
  • Use of administrative access to bypass endpoint restrictions
  • Cloning or compiling code from external code repositories such as GitHub

 

While some installations may appear harmless, unapproved software installs can represent a breakdown in configuration control and acceptable use. In high-risk scenarios, such software may introduce remote access mechanisms, data exfiltration capabilities, or other malware. Even benign cases signal behavioral drift, particularly when repeated or ignored, and can contribute to software sprawl, policy erosion, or eventual exploitation.

IF009.005Anti-Sleep Software

The subject installs or enables software, scripts, or hardware devices designed to prevent systems from automatically locking, logging out, or entering sleep mode. This unauthorized action deliberately subverts security controls intended to protect unattended systems from unauthorized access.

 

Characteristics

  • Circumvents policies enforcing session locks, idle timeouts, and mandatory logout periods.
  • May involve third-party applications ("caffeine" tools), anti-idle scripts, or physical devices such as USB mouse jigglers.
  • Typically deployed without organizational approval or awareness.
  • Leaves systems continuously unlocked and accessible, undermining endpoint security and physical safeguards.
  • Renders full disk encryption protections ineffective while the system remains powered and unlocked.
  • Creates opportunities for unauthorized access, data exfiltration, or device compromise by malicious insiders or third parties.

 

Example Scenario

A subject installs unauthorized anti-sleep software on a corporate laptop to prevent automatic locking during idle periods. As a result, the device remains accessible even when left unattended in unsecured environments such as cafes, airports, or shared workspaces. This action bypasses mandatory screen-lock policies and renders full disk encryption protections ineffective, exposing sensitive organizational data to theft or compromise by malicious third parties who can physically access the unattended device.

IF009.002Inappropriate Software

A subject installs software that is not considered appropriate by the organization.

IF009.007Installation of Unapproved Browser Extensions

The subject installs browser extensions on a managed device that have not been approved, vetted, or distributed via sanctioned organizational channels. These may include productivity tools, automation agents, data scrapers, content manipulators, or AI-enhanced interfaces. Installations typically originate from GitHub repositories, private developer sites, shared file storage, or sideloading tools that bypass enterprise browser controls.

 

Unapproved extensions introduce unmonitored execution environments directly into the subject’s browser, enabling silent access to sensitive web applications, stored credentials, and internal content. Many request expansive permissions (e.g., webRequest, cookies, tabs, clipboardRead) and operate with persistent background scripts that are difficult to detect through normal endpoint monitoring.

 

This behavior violates Acceptable Use Policies and, depending on the extension’s behavior, may also constitute unauthorized access, data exfiltration, or malware introduction. Some extensions—particularly those hosted on GitHub or distributed through Telegram groups or developer forums—have been found to contain obfuscated payloads, embedded credential harvesters, or cryptojacking modules.

 

Examples include:

 

  • Installing a GitHub-hosted ChatGPT sidebar extension that silently logs visited URLs and API keys used in developer consoles.
  • Deploying a YouTube downloader that injects scripts for ad click fraud or SEO manipulation.
  • Using a browser extension to auto-fill forms with personal data, which transmits data to offshore analytics servers.
  • Loading unpacked or custom extensions that disguise themselves as utilities but include base64-encoded malware installers.

 

While subjects may initially claim curiosity or productivity needs, repeated installation of unapproved extensions—especially after prior enforcement—may indicate normalization of risky behavior or active circumvention of controls.

IF009.006Installing Crypto Mining Software

The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.

 

Characteristics

  • Deploys CPU-intensive or GPU-intensive processes (e.g., xmrig, ethminer, phoenixminer, nicehash) on endpoints, servers, or cloud infrastructure without approval.
  • May use containerized deployments (Docker), low-footprint mining scripts, browser-based JavaScript miners, or stealth binaries disguised as legitimate processes.
  • Often configured to throttle resource usage during business hours to evade human and telemetry detection.
  • Establishes persistent outbound network connections to mining pools (e.g., via Stratum mining protocol over TCP/SSL).
  • Frequently disables system security features (e.g., Anti-Virus (AV)/Endpoint Detection & Response (EDR) agents, power-saving modes) to maintain uninterrupted mining sessions.
  • Represents not only misuse of resources but also creates unauthorized outbound communication channels that bypass standard network controls.

 

Example Scenario

A subject installs a customized xmrig Monero mining binary onto under-monitored R&D servers by side-loading it via a USB device. The miner operates in "stealth mode," hiding its process name within legitimate system services and throttling CPU usage to 60% during business hours. Off-peak hours show 95% CPU utilization with persistent outbound TCP traffic to an external mining pool over a non-standard port. The mining operation remains active for six months, leading to significant compute degradation, unplanned electricity costs, and unmonitored external network connections that could facilitate broader compromise.

IF009.001Unwanted Software

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.