{"description": "Enterprise techniques used by User Account Management, ATT&CK mitigation M1018 v1.1", "name": "User Account Management (M1018)", "domain": "enterprise-attack", "versions": {"layer": "4.3", "attack": "10", "navigator": "4.5"}, "techniques": [{"score": 1, "techniqueID": "T1134", "showSubtechniques": true, "comment": "An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.  "}, {"score": 1, "techniqueID": "T1134.001", "showSubtechniques": true, "comment": "An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.  "}, {"score": 1, "techniqueID": "T1134.002", "showSubtechniques": true, "comment": "An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require."}, {"score": 1, "techniqueID": "T1134.003", "showSubtechniques": true, "comment": "An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.  "}, {"techniqueID": "T1087", "showSubtechniques": true}, {"score": 1, "techniqueID": "T1087.004", "showSubtechniques": true, "comment": "Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies."}, {"score": 1, "techniqueID": "T1197", "showSubtechniques": false, "comment": "\nConsider limiting access to the BITS interface to specific users or groups.(Citation: Symantec BITS May 2007)"}, {"techniqueID": "T1547", "showSubtechniques": true}, {"score": 1, "techniqueID": "T1547.004", "showSubtechniques": true, "comment": "Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes."}, {"score": 1, "techniqueID": "T1547.009", "showSubtechniques": true, "comment": "Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links)"}, {"score": 1, "techniqueID": "T1547.012", "showSubtechniques": true, "comment": "Limit user accounts that can load or unload device drivers by disabling SeLoadDriverPrivilege."}, {"score": 1, "techniqueID": "T1547.013", "showSubtechniques": true, "comment": "Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries."}, {"score": 1, "techniqueID": "T1185", "showSubtechniques": false, "comment": "Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) opportunities can limit the exposure to this technique."}, {"score": 1, "techniqueID": "T1110", "showSubtechniques": true, "comment": "Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts."}, {"score": 1, "techniqueID": "T1110.004", "showSubtechniques": true, "comment": "Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts."}, {"score": 1, "techniqueID": "T1580", "showSubtechniques": false, "comment": "Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies."}, {"score": 1, "techniqueID": "T1538", "showSubtechniques": false, "comment": "Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account."}, {"score": 1, "techniqueID": "T1619", "showSubtechniques": false, "comment": "Restrict granting of permissions related to listing objects in cloud storage to necessary accounts."}, {"techniqueID": "T1059", "showSubtechniques": true}, {"score": 1, "techniqueID": "T1059.008", "showSubtechniques": true, "comment": "Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions users can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups so that only authorized users can perform configuration changes. (Citation: Cisco IOS Software Integrity Assurance - AAA)"}, {"score": 1, "techniqueID": "T1613", "showSubtechniques": false, "comment": "Enforce the principle of least privilege by limiting dashboard visibility to only the required users."}, {"score": 1, "techniqueID": "T1543", "showSubtechniques": true, "comment": "Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations."}, {"score": 1, "techniqueID": "T1543.002", "showSubtechniques": true, "comment": "Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need."}, {"score": 1, "techniqueID": "T1543.003", "showSubtechniques": true, "comment": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. "}, {"score": 1, "techniqueID": "T1543.004", "showSubtechniques": true, "comment": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons."}, {"score": 1, "techniqueID": "T1530", "showSubtechniques": false, "comment": "Configure user permissions groups and roles for access to cloud storage.(Citation: Microsoft Azure Storage Security, 2019) Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.(Citation: Amazon S3 Security, 2019) Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.(Citation: Amazon  AWS Temporary Security Credentials)"}, {"score": 1, "techniqueID": "T1213", "showSubtechniques": true, "comment": "Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization."}, {"score": 1, "techniqueID": "T1213.001", "showSubtechniques": true, "comment": "Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization."}, {"score": 1, "techniqueID": "T1213.002", "showSubtechniques": true, "comment": "Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization."}, {"score": 1, "techniqueID": "T1213.003", "showSubtechniques": true, "comment": "Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization for code repositories."}, {"score": 1, "techniqueID": "T1610", "showSubtechniques": false, "comment": "Enforce the principle of least privilege by limiting container dashboard access to only the necessary users."}, {"score": 1, "techniqueID": "T1484", "showSubtechniques": true, "comment": "Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.(Citation: Wald0 Guide to GPOs)(Citation: Microsoft WMI Filters)(Citation: Microsoft GPO Security Filtering)"}, {"score": 1, "techniqueID": "T1484.001", "showSubtechniques": true, "comment": "Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.(Citation: Wald0 Guide to GPOs)(Citation: Microsoft WMI Filters)(Citation: Microsoft GPO Security Filtering)"}, {"techniqueID": "T1546", "showSubtechniques": true}, {"score": 1, "techniqueID": "T1546.003", "showSubtechniques": true, "comment": "By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI."}, {"score": 1, "techniqueID": "T1606", "showSubtechniques": true, "comment": "Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.(Citation: Microsoft SolarWinds Customer Guidance)"}, {"score": 1, "techniqueID": "T1606.002", "showSubtechniques": true, "comment": "Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.(Citation: Microsoft SolarWinds Customer Guidance)"}, {"score": 1, "techniqueID": "T1574", "showSubtechniques": true, "comment": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.\n\nEnsure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution."}, {"score": 1, "techniqueID": "T1574.005", "showSubtechniques": true, "comment": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able."}, {"score": 1, "techniqueID": "T1574.010", "showSubtechniques": true, "comment": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able."}, {"score": 1, "techniqueID": "T1574.012", "showSubtechniques": true, "comment": "Limit the privileges of user accounts so that only authorized administrators can edit system environment variables."}, {"score": 1, "techniqueID": "T1562", "showSubtechniques": true, "comment": "Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services."}, {"score": 1, "techniqueID": "T1562.001", "showSubtechniques": true, "comment": "Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services."}, {"score": 1, "techniqueID": "T1562.002", "showSubtechniques": true, "comment": "Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging."}, {"score": 1, "techniqueID": "T1562.004", "showSubtechniques": true, "comment": "Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings."}, {"score": 1, "techniqueID": "T1562.006", "showSubtechniques": true, "comment": "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts."}, {"score": 1, "techniqueID": "T1562.007", "showSubtechniques": true, "comment": "Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.(Citation: Expel IO Evil in AWS)"}, {"score": 1, "techniqueID": "T1562.008", "showSubtechniques": true, "comment": "Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies."}, {"score": 1, "techniqueID": "T1578", "showSubtechniques": true, "comment": "Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)"}, {"score": 1, "techniqueID": "T1578.001", "showSubtechniques": true, "comment": "Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)"}, {"score": 1, "techniqueID": "T1578.002", "showSubtechniques": true, "comment": "Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)"}, {"score": 1, "techniqueID": "T1578.003", "showSubtechniques": true, "comment": "Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)"}, {"score": 1, "techniqueID": "T1563", "showSubtechniques": true, "comment": "Limit remote user permissions if remote access is necessary."}, {"score": 1, "techniqueID": "T1563.002", "showSubtechniques": true, "comment": "Limit remote user permissions if remote access is necessary."}, {"score": 1, "techniqueID": "T1021", "showSubtechniques": true, "comment": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs."}, {"score": 1, "techniqueID": "T1021.001", "showSubtechniques": true, "comment": "Limit remote user permissions if remote access is necessary."}, {"score": 1, "techniqueID": "T1021.004", "showSubtechniques": true, "comment": "Limit which user accounts are allowed to login via SSH."}, {"score": 1, "techniqueID": "T1053", "showSubtechniques": true, "comment": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems."}, {"score": 1, "techniqueID": "T1053.001", "showSubtechniques": true, "comment": "Users account-level access to [at](https://attack.mitre.org/software/S0110) can be managed using /etc/at.allow and /etc/at.deny files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility."}, {"score": 1, "techniqueID": "T1053.002", "showSubtechniques": true, "comment": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. "}, {"score": 1, "techniqueID": "T1053.003", "showSubtechniques": true, "comment": "cron permissions are controlled by /etc/cron.allow and /etc/cron.deny. If there is a cron.allow file, then the user or users that need to use cron will need to be listed in the file. cron.deny is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron."}, {"score": 1, "techniqueID": "T1053.005", "showSubtechniques": true, "comment": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. "}, {"score": 1, "techniqueID": "T1053.006", "showSubtechniques": true, "comment": "Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need."}, {"score": 1, "techniqueID": "T1053.007", "showSubtechniques": true, "comment": "Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs."}, {"score": 1, "techniqueID": "T1505", "showSubtechniques": true, "comment": "Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.(Citation: NSA and ASD Detect and Prevent Web Shells 2020)"}, {"score": 1, "techniqueID": "T1505.003", "showSubtechniques": true, "comment": "Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.(Citation: NSA and ASD Detect and Prevent Web Shells 2020)"}, {"score": 1, "techniqueID": "T1489", "showSubtechniques": false, "comment": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations."}, {"score": 1, "techniqueID": "T1072", "showSubtechniques": false, "comment": "Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation."}, {"score": 1, "techniqueID": "T1528", "showSubtechniques": false, "comment": "A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens."}, {"score": 1, "techniqueID": "T1569", "showSubtechniques": true, "comment": "Prevent users from installing their own launch agents or launch daemons."}, {"score": 1, "techniqueID": "T1569.001", "showSubtechniques": true, "comment": "Prevent users from installing their own launch agents or launch daemons."}, {"score": 1, "techniqueID": "T1537", "showSubtechniques": false, "comment": "Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts."}, {"score": 1, "techniqueID": "T1550", "showSubtechniques": true, "comment": "Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems."}, {"score": 1, "techniqueID": "T1550.002", "showSubtechniques": true, "comment": "Do not allow a domain user to be in the local administrator group on multiple systems."}, {"score": 1, "techniqueID": "T1550.003", "showSubtechniques": true, "comment": "Do not allow a user to be a local administrator for multiple systems."}, {"techniqueID": "T1078", "showSubtechniques": true}, {"score": 1, "techniqueID": "T1078.004", "showSubtechniques": true, "comment": "Periodically review user accounts and remove those that are inactive or unnecessary. Limit the ability for user accounts to create additional accounts."}, {"score": 1, "techniqueID": "T1047", "showSubtechniques": false, "comment": "By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI."}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by User Account Management", "color": "#66b1ff"}]}