Home
SCKIPT is an initiative created by Sergio Albea focus on detect possible User Behaviours which can put the security of our systems in risk. More explanations here.
Initially, SCKIPT was focused on the behavior of Standard Users, referring to accounts with no privileges or advanced roles. In 2025, it has been upgraded to include the monitoring of Privileged User behavior, to monitor and track their activities and to ensure that they use the assigned access in the correct way and do not abuse their assigned roles.
UB – User Behaviour Rp -Related Page K -KQL Queries W– WebSites M – MITRE ATT&CK Reference
SCKIPT User Behaviour Matrix (Standard Users) | ||||
|---|---|---|---|---|
Source (UB) | Case Scenario (C) | Known Interactions (K) | Protection (P) | Threats (T) |
UB1. Email | UB1.C1 – Send Emails Externally | UB1.C1.K1 – Send attachment files | UB1.C1.K1.P1 – Split information to not allow to identify sensitive / confidential data from one source – Whitemark, obfuscate, replace sensitive / Confidential data – DLP/DRM – Deny screenshot software and/or monitor screenshot software extensions – Deny sharing options or limit the sharing option to internal organisation or specific group controlled and audited | UB1.C1.K1.T1 – Send personal or confidential data  UB1.C1.K1.T2 – Share access to personal or confidential data |
UB1.C2 – Open Emails | UB1.C2.K1 – Open attachments UB1.C2.K2 – Click on URL’s | UB1.C2.K1.P1 – BlockMonitor/Restrict attachment extensions – Block/Monitor FileHashes with Threat Intelligence Sources – BlockMonitor/Restrict file actions (execution, web redirection, OS modifications, and others) UB1.C2.K2.P1 – Monitor IP/Domains/URLs with Threat Intelligence sources – Monitor URL redirection – Monitor sender domains and sender email addresses – Use a link checker  | UB1.C2.K1.T1 Open malicious or infected attachment files UB1.C2.K2.T1 Click on URLs redirecting to malicious content | |
UB1.C3 -Enable Auto-Reply Messages | UB1.C3.P1 – Block/Monitor/Restrict Auto-Replies messages (ex. Internally) | UB1.C3.T1 – Send private data externally in the Auto-Reply messages  | ||
UB1.C4 – Email Sender Lists | UB1.C4.K1 – Add Domains or senders as trusted | UB1.C4.K1.P1 – Monitor/Restrict Domains/Email Address added into Sender Lists | UB1.C4.K1.T1 Add malicious domains or senders as trusted | |
UB1.C5 – Email Rules | UB1.C5.K1 – Auto-forwarding Rules | UB1.C5.K1.P1 – Block/Monitor/Restrict Auto-Forwarding Rules (ex. Internally) | UB1.C5.K1.T1 – Email Rules can forward sensitive data or/and trigger risky activities | |
UB1.C6 – Remove Emails | UB1.C6.P1 – Backups and archive UB1.C6.P2 -Audit Mailbox actions UB1.C6.P3 – Preserved and store emails after being removed by the user (ex. In-Place Hold and Litigation Hold in Exchange Server) | UB1.C6.T1 – Lost of email non-reputation evidence | ||
UB1.C7 – Delegate mailbox permissions | UB1.C7.P1 – Audit Mailboxes  UB1.C7.P2 -Block/Disable permission delegation feature or require on-demand approval | UB1.C7.T1 – Unauthorised user access to restricted or sensitive information over the delegated mailbox UB1.C7.T2 -Lost of email non-reputation evidence | ||