Skip to content

M1047 Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
Item Value
ID M1047
Version 1.3
Created 11 June 2019
Last Modified 10 December 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.9
enterprise T1548.002 Bypass User Account Control Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.9
enterprise T1548.006 TCC Manipulation Routinely check applications using Automation under Security & Privacy System Preferences. To reset permissions, user’s can utilize the tccutil reset command. When using Mobile Device Management (MDM), review the list of enabled or disabled applications in the MDMOverrides.plist which overrides the TCC database.34
enterprise T1087 Account Discovery -
enterprise T1087.004 Cloud Account Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
enterprise T1560 Archive Collected Data System scans can be performed to identify unauthorized archival utilities.
enterprise T1560.001 Archive via Utility System scans can be performed to identify unauthorized archival utilities.
enterprise T1612 Build Image on Host Audit images deployed within the environment to ensure they do not contain any malicious components.
enterprise T1671 Cloud Application Integration Periodically review SaaS integrations for unapproved or potentially malicious applications.
enterprise T1059 Command and Scripting Interpreter Inventory systems for unauthorized command and scripting interpreter installations.
enterprise T1059.006 Python Inventory systems for unauthorized Python installations.
enterprise T1059.011 Lua Inventory systems for unauthorized Lua installations.
enterprise T1543 Create or Modify System Process Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
enterprise T1543.003 Windows Service Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
enterprise T1543.004 Launch Daemon Use auditing tools capable of detecting folder permissions abuse opportunities on systems, especially reviewing changes made to folders by third-party software.
enterprise T1530 Data from Cloud Storage Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.35
enterprise T1213 Data from Information Repositories Consider periodic review of accounts and privileges for critical and sensitive repositories. Ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.36
enterprise T1213.001 Confluence Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.
enterprise T1213.002 Sharepoint Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.
enterprise T1213.003 Code Repositories Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information.
enterprise T1213.004 Customer Relationship Management Software Consider periodic review of accounts and privileges for critical and sensitive CRM data.
enterprise T1213.005 Messaging Applications Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found.
enterprise T1213.006 Databases Consider periodic review of accounts and privileges for critical and sensitive databases.
enterprise T1610 Deploy Container Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.15
enterprise T1484 Domain or Tenant Policy Modification Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later)1.
enterprise T1484.001 Group Policy Modification Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later).1
enterprise T1482 Domain Trust Discovery Map the trusts within existing domains/forests and keep trust relationships to a minimum.
enterprise T1114 Email Collection Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.
enterprise T1114.003 Email Forwarding Rule Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.
enterprise T1546 Event Triggered Execution -
enterprise T1546.006 LC_LOAD_DYLIB Addition Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn’t included as part of an update, it should be investigated.
enterprise T1606 Forge Web Credentials Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.

Enable advanced auditing on ADFS. Check the success and failure audit options in the ADFS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.18 | | enterprise | T1606.001 | Web Cookies | Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed. | | enterprise | T1606.002 | SAML Tokens | Enable advanced auditing on AD FS. Check the success and failure audit options in the AD FS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.18 | | enterprise | T1564 | Hide Artifacts | Periodically audit virtual machines for abnormalities. | | enterprise | T1564.006 | Run Virtual Instance | Periodically audit virtual machines for abnormalities. On ESXi servers, periodically compare the output of vim-cmd vmsvc/getallvms, which lists all VMs in vCenter, and escxli vm process list | grep Display, which lists all VMs hosted on ESXi.3 | | enterprise | T1564.008 | Email Hiding Rules | Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis. | | enterprise | T1574 | Hijack Execution Flow | Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.2 | | enterprise | T1574.001 | DLL | Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.2 | | enterprise | T1574.005 | Executable Installer File Permissions Weakness | Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.2 | | enterprise | T1574.007 | Path Interception by PATH Environment Variable | Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. | | enterprise | T1574.008 | Path Interception by Search Order Hijacking | Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. | | enterprise | T1574.009 | Path Interception by Unquoted Path | Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate. | | enterprise | T1574.010 | Services File Permissions Weakness | Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.2 | | enterprise | T1562 | Impair Defenses | Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings. Periodically verify that tools such as EDRs are functioning as expected. | | enterprise | T1562.001 | Disable or Modify Tools | Periodically verify that tools are functioning appropriately – for example, that all expected hosts with EDRs or monitoring agents are checking in to the central console. Check EDRs to ensure that no unexpected exclusion paths have been added. In Microsoft Defender for Endpoint, exclusions can be reviewed with the Get-MpPreference cmdlet.37 | | enterprise | T1562.002 | Disable Windows Event Logging | Consider periodic review of auditpol settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running. | | enterprise | T1562.004 | Disable or Modify System Firewall | Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. | | enterprise | T1562.007 | Disable or Modify Cloud Firewall | Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls. | | enterprise | T1562.012 | Disable or Modify Linux Audit System | Routinely check account role permissions to ensure only expected users and roles have permission to modify logging settings. | | enterprise | T1562.013 | Disable or Modify Network Device Firewall | Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls. | | enterprise | T1525 | Implant Internal Image | Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software. | | enterprise | T1070 | Indicator Removal | - | | enterprise | T1070.008 | Clear Mailbox Data | In an Exchange environment, Administrators can use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.7 | | enterprise | T1036 | Masquerading | Audit user accounts to ensure that each one has a defined purpose. | | enterprise | T1036.010 | Masquerade Account Name | Audit user accounts to ensure that each one has a defined purpose. | | enterprise | T1036.012 | Browser Fingerprint | Review and limit the fingerprinting surface to only necessary information on each browser to make the browser less unique. For example, the available fonts may be limited to a standard font list. 21 | | enterprise | T1556 | Modify Authentication Process | Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended. | | enterprise | T1556.006 | Multi-Factor Authentication | Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.20 | | enterprise | T1556.007 | Hybrid Identity | Periodically review the hybrid identity solution in use for any discrepancies. For example, review all PTA agents in the Entra ID Management Portal to identify any unwanted or unapproved ones.23 If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.22 | | enterprise | T1556.008 | Network Provider DLL | Periodically review for new and unknown network provider DLLs within the Registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider\ProviderPath). | | enterprise | T1578 | Modify Cloud Compute Infrastructure | Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. | | enterprise | T1578.001 | Create Snapshot | Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups. | | enterprise | T1578.002 | Create Cloud Instance | Routinely check user permissions to ensure only the expected users have the capability to create new instances. | | enterprise | T1578.003 | Delete Cloud Instance | Routinely check user permissions to ensure only the expected users have the capability to delete new instances. | | enterprise | T1578.005 | Modify Cloud Compute Configurations | Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings. | | enterprise | T1666 | Modify Cloud Resource Hierarchy | Periodically audit resource groups in the cloud management console to ensure that only expected items exist, especially close to the top of the hierarchy (e.g., AWS accounts and Azure subscriptions). Typically, top-level accounts (such as the AWS management account) should not contain any workloads or resources.28 | | enterprise | T1095 | Non-Application Layer Protocol | Periodically investigate ESXi hosts for open VMCI ports. Running the lsof -A command and inspecting results with a type of SOCKET_VMCI will reveal processes that have open VMCI ports.19 | | enterprise | T1027 | Obfuscated Files or Information | Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data. | | enterprise | T1027.011 | Fileless Storage | Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data. | | enterprise | T1566 | Phishing | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. | | enterprise | T1566.001 | Spearphishing Attachment | Enable auditing and monitoring for email attachments and file transfers to detect and investigate suspicious activity. Regularly review logs for anomalies related to attachments containing potentially malicious content, as well as any attempts to execute or interact with these files. This practice helps identify spearphishing attempts before they can lead to further compromise. | | enterprise | T1566.002 | Spearphishing Link | Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege. | | enterprise | T1566.003 | Spearphishing via Service | Implement auditing and logging for interactions with third-party messaging services or collaboration platforms. Monitor user activity and review logs for signs of suspicious links, downloads, or file exchanges that could indicate spearphishing attempts. Effective auditing allows for the quick identification of malicious activity originating from compromised service accounts. | | enterprise | T1653 | Power Settings | Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty. | | enterprise | T1542 | Pre-OS Boot | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. | | enterprise | T1542.004 | ROMMONkit | Periodically check the integrity of system image to ensure it has not been modified. 24 25 26 | | enterprise | T1542.005 | TFTP Boot | Periodically check the integrity of the running configuration and system image to ensure they have not been modified. 25 24 26 | | enterprise | T1563 | Remote Service Session Hijacking | - | | enterprise | T1563.002 | RDP Hijacking | Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. | | enterprise | T1021 | Remote Services | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. | | enterprise | T1021.001 | Remote Desktop Protocol | Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups. | | enterprise | T1021.005 | VNC | Inventory workstations for unauthorized VNC server software. | | enterprise | T1053 | Scheduled Task/Job | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 2 | | enterprise | T1053.002 | At | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 2 Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. 12 In Linux and macOS environments, scheduled tasks using at can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. 13 | | enterprise | T1053.003 | Cron | Review changes to the cron schedule. cron execution can be reviewed within the /var/log directory. To validate the location of the cron log file, check the syslog config at /etc/rsyslog.conf or /etc/syslog.conf. | | enterprise | T1053.005 | Scheduled Task | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 2 | | enterprise | T1593 | Search Open Websites/Domains | Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code. | | enterprise | T1593.003 | Code Repositories | Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code. | | enterprise | T1505 | Server Software Component | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. | | enterprise | T1505.001 | SQL Stored Procedures | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. | | enterprise | T1505.002 | Transport Agent | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. | | enterprise | T1505.004 | IIS Components | Regularly check installed IIS components to verify the integrity of the web server and identify if unexpected changes have been made. | | enterprise | T1505.005 | Terminal Services DLL | Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. | | enterprise | T1505.006 | vSphere Installation Bundles | Periodically audit ESXi hosts to ensure that only approved VIBs are installed. The command esxcli software vib list lists installed VIBs, while the command esxcli software vib signature verify verifies the signatures of installed VIBs.38 | | enterprise | T1176 | Software Extensions | Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. | | enterprise | T1176.001 | Browser Extensions | Ensure extensions that are installed are the intended ones, as many malicious extensions will masquerade as legitimate ones. | | enterprise | T1176.002 | IDE Extensions | Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. | | enterprise | T1528 | Steal Application Access Token | Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed. | | enterprise | T1649 | Steal or Forge Authentication Certificates | Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates). For example, available AD CS certificate templates can be checked via the Certificate Authority MMC snap-in (certsrv.msc). certutil.exe can also be used to examine various information within an AD CS CA database.333132 | | enterprise | T1558 | Steal or Forge Kerberos Tickets | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. | | enterprise | T1558.004 | AS-REP Roasting | Kerberos preauthentication is enabled by default. Older protocols might not support preauthentication therefore it is possible to have this setting disabled. Make sure that all accounts have preauthentication whenever possible and audit changes to setting. Windows tools such as PowerShell may be used to easily find which accounts have preauthentication disabled. 1011 | | enterprise | T1558.005 | Ccache Files | Enable and perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.16 For example, use auditd to audit access to hashes, machine tickets, or /tmp files. If using sssd and Vintela, ensure kerberos is disabled if not being used.17 | | enterprise | T1539 | Steal Web Session Cookie | Implement auditing for authentication activities and user logins to detect the use of stolen session cookies. Monitor for impossible travel scenarios and anomalous behavior that could indicate the use of compromised session tokens or cookies. | | enterprise | T1552 | Unsecured Credentials | Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found. | | enterprise | T1552.001 | Credentials In Files | Preemptively search for files containing passwords and take actions to reduce the exposure risk when found. | | enterprise | T1552.002 | Credentials in Registry | Proactively search for credentials within the Registry and attempt to remediate the risk. | | enterprise | T1552.004 | Private Keys | Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. | | enterprise | T1552.006 | Group Policy Preferences | Search SYSVOL for any existing GGPs that may contain credentials and remove them.14 | | enterprise | T1552.008 | Chat Messages | Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like “password is “, “password=” and take actions to reduce exposure when found. | | enterprise | T1550 | Use Alternate Authentication Material | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. | | enterprise | T1550.001 | Application Access Token | Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Where possible, the ability to request temporary account tokens on behalf of another accounts should be disabled. Additionally, administrators can leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access. | | enterprise | T1204 | User Execution | - | | enterprise | T1204.003 | Malicious Image | Audit images deployed within the environment to ensure they do not contain any malicious components. |

References

  1. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. 

  2. PowerSploit. (n.d.). Retrieved December 4, 2014. 

  3. Lex Crumpton. (2024, May 22). Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion. Retrieved March 26, 2025. 

  4. Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017. 

  5. Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024. 

  6. Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023. 

  7. Microsoft. (n.d.). Get-InboxRule. Retrieved June 10, 2021. 

  8. UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. 

  9. Microsoft. (2012, July 18). Preauthentication. Retrieved August 24, 2020. 

  10. Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020. 

  11. Carvey, H.. (2014, September). Where You AT?: Indicators of Lateral Movement Using at.exe on Windows 7 Systems. Retrieved November 27, 2019. 

  12. Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019. 

  13. Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020. 

  14. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. 

  15. Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021. 

  16. Wadhwa-Brown, Tim. (2022). audit.rules. Retrieved September 17, 2024. 

  17. Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020. 

  18. Alex Marvi, Greg Blaum, and Ron Craft. (2023, June 28). Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts. Retrieved March 26, 2025. 

  19. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023. 

  20. W3C. (2025, September 12). Mitigating Browser Fingerprinting in Web Specifications. Retrieved September 22, 2025. 

  21. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022. 

  22. Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022. 

  23. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020. 

  24. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. 

  25. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020. 

  26. Gerend, J. et al.. (2017, October 16). sxstrace. Retrieved April 26, 2021. 

  27. AWS. (n.d.). Best practices for the management account. Retrieved October 16, 2024. 

  28. Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021. 

  29. McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. 

  30. HarmJ0y et al. (2021, June 16). PSPKIAudit. Retrieved August 2, 2022. 

  31. HarmJ0y et al. (2021, June 9). Certify. Retrieved August 4, 2022. 

  32. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. 

  33. Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024. 

  34. Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019. 

  35. AWS. (n.d.). Working with a DB instance in a VPC. Retrieved September 24, 2024. 

  36. Christopher Brumm. (2021, August 4). My learnings on Microsoft Defender for Endpoint and Exclusions. Retrieved March 18, 2025. 

  37. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.