Bypassing Security Controls
Bypassing Security Controls (Windows/Mac)
The following out-of-the-box alert rules are assigned to the (Windows/Mac) Category: BYPASSING SECURITY CONTROLS.
|
ALERT RULE |
Description |
|---|---|
| Opening ObserveIT Agent folder |
An alert is triggered upon opening the folder in which the ITM On-Prem (ObserveIT) Agent is installed, potentially for tampering or covering tracks. |
| Running TOR browser |
An alert is triggered upon running TOR (The Onion Ring) browser in order to access the TOR network (the Dark Web). Such an operation could indicate that a user wants to hide his identity while performing illegal activity. |
| Adding Windows Firewall Rules |
An alert is triggered upon opening the built-in Windows Add New Rule screen in Firewall settings to define a new rule. |
| Changing computer data or time |
An alert is triggered upon opening the built-in Windows date and time settings screen potentially to change the time or data, in order to manipulate the documentation of user actions or to avoid expiration of time-limited software license. |
| Configuring Windows Firewall Status |
An alert is triggered upon opening the built-in Windows Firewall settings screen, potentially to turn off the settings before performing incoming or outgoing networking that is usually blocked by Firewall. |
| Configuring Windows LAN or Proxy Settings |
An alert is triggered upon opening the built-in Windows LAN/Proxy settings screen, potentially to configure internet access through a 3rd party in order to hide the IP or identity of the user. |
| Configuring Windows VPN Connection |
An alert is triggered upon opening the built-in Windows VPN settings screen, potentially to configure access to a private network that would not be available otherwise. |
| Creating a new virtual machine instance |
An alert is triggered upon creating a new virtual machine instance in one of the predefined virtualization solutions. |
| Logging in with local user account |
An alert is triggered upon performing login with a domain name which is not included in predefined domains. Such a login is usually a local user login in which the domain name is the machine name (typical to laptops disconnected from an organization’s network). |
| Running VPN, Proxy or Tunneling tools |
An alert is triggered upon running advanced networking tools either to enable access to private networks or to hide the user identity. |
| Changing Internet security settings |
An alert is triggered upon customizing the security level in Internet Properties. The operation can indicate an early intent to bypass security controls in Internet and bring in dangers. |
| Running a partially monitored browser |
This alert will be triggered upon using Opera browser, which is only partially monitored by ITM On-Prem (ObserveIT) (no URL capturing). This operation can indicate an early intent to hide information and cover tracks from the organization. |
| Browsing to website related to MIMIKATZ utility |
An alert is triggered upon downloading a file related to the MIMIKATZ utility which allows playing with Windows security. |
| Downloading the MIMIKATZ utility |
An alert is triggered upon browsing or searching website related to the MIMIKATZ utility which allows playing with Windows security. |