Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Remove users from the local administrator group on systems. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed. |
|
.002 | Bypass User Account Control |
Remove users from the local administrator group on systems. |
||
.003 | Sudo and Sudo Caching |
By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the |
||
Enterprise | T1134 | Access Token Manipulation |
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2] Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command |
|
.001 | Token Impersonation/Theft |
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2] Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command |
||
.002 | Create Process with Token |
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2] Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command |
||
.003 | Make and Impersonate Token |
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2] Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command |
||
Enterprise | T1098 | Account Manipulation |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
|
.001 | Additional Cloud Credentials |
Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
||
.002 | Exchange Email Delegate Permissions |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
||
.003 | Add Office 365 Global Administrator Role |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
||
Enterprise | T1547 | .006 | Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities. |
Enterprise | T1612 | Build Image on Host |
Ensure containers are not running as root by default. |
|
Enterprise | T1059 | Command and Scripting Interpreter |
When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[4] |
|
.001 | PowerShell |
When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[4] |
||
.008 | Network Device CLI |
Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization[5] [6] |
||
Enterprise | T1609 | Container Administration Command |
Ensure containers are not running as root by default. |
|
Enterprise | T1136 | Create Account |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
|
.001 | Local Account |
Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. |
||
.002 | Domain Account |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
||
.003 | Cloud Account |
Do not allow privileged accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
||
Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. |
Enterprise | T1484 | Domain Policy Modification |
Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges. |
|
.002 | Domain Trust Modification |
Use the principal of least privilege and protect administrative access to domain trusts. |
||
Enterprise | T1611 | Escape to Host |
Ensure containers are not running as root by default. |
|
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Prevent credential overlap across systems of administrator and privileged accounts.[7] |
Enterprise | T1190 | Exploit Public-Facing Application |
Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. |
|
Enterprise | T1210 | Exploitation of Remote Services |
Minimize permissions and access for service accounts to limit impact of exploitation. |
|
Enterprise | T1222 | File and Directory Permissions Modification |
Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality. |
|
.001 | Windows File and Directory Permissions Modification |
Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality. |
||
.002 | Linux and Mac File and Directory Permissions Modification |
Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality. |
||
Enterprise | T1495 | Firmware Corruption |
Prevent adversary access to privileged accounts or access necessary to replace system firmware. |
|
Enterprise | T1606 | Forge Web Credentials |
Restrict permissions and access to the AD FS server to only originate from privileged access workstations.[8] |
|
.002 | SAML Tokens |
Restrict permissions and access to the AD FS server to only originate from privileged access workstations.[8] |
||
Enterprise | T1562 | .009 | Impair Defenses: Safe Mode Boot |
Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.[9] |
Enterprise | T1525 | Implant Internal Image |
Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege. |
|
Enterprise | T1056 | .003 | Input Capture: Web Portal Capture |
Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Enterprise | T1559 | Inter-Process Communication |
Modify Registry settings (directly or using Dcomcnfg.exe) in Modify Registry settings (directly or using Dcomcnfg.exe) in |
|
.001 | Component Object Model |
Modify Registry settings (directly or using Dcomcnfg.exe) in Modify Registry settings (directly or using Dcomcnfg.exe) in |
||
Enterprise | T1556 | Modify Authentication Process |
Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [13] [14] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [15] Limit access to the root account and prevent users from modifying protected components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities. |
|
.001 | Domain Controller Authentication |
Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [13] [14] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [15] |
||
.003 | Pluggable Authentication Modules |
Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities. |
||
.004 | Network Device Authentication |
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints. |
||
Enterprise | T1601 | Modify System Image |
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints. |
|
.001 | Patch System Image |
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints. |
||
.002 | Downgrade System Image |
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints. |
||
Enterprise | T1599 | Network Boundary Bridging |
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints. |
|
.001 | Network Address Translation Traversal |
Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints. |
||
Enterprise | T1003 | OS Credential Dumping |
Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[15] Linux:Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory. |
|
.001 | LSASS Memory |
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
||
.002 | Security Account Manager |
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
||
.003 | NTDS |
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
||
.004 | LSA Secrets |
Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[16] |
||
.005 | Cached Domain Credentials |
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
||
.006 | DCSync |
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
||
.007 | Proc Filesystem |
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information. |
||
.008 | /etc/passwd and /etc/shadow |
Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information. |
||
Enterprise | T1542 | Pre-OS Boot |
Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions |
|
.001 | System Firmware |
Prevent adversary access to privileged accounts or access necessary to perform this technique. |
||
.003 | Bootkit |
Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit. |
||
.005 | TFTP Boot |
Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. [5] [6] |
||
Enterprise | T1055 | Process Injection |
Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor. |
|
.008 | Ptrace System Calls |
Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor. |
||
Enterprise | T1563 | Remote Service Session Hijacking |
Do not allow remote access to services as a privileged account unless necessary. |
|
.001 | SSH Hijacking |
Do not allow remote access via SSH as root or other privileged accounts. |
||
.002 | RDP Hijacking |
Consider removing the local Administrators group from the list of groups allowed to log in through RDP. |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Consider removing the local Administrators group from the list of groups allowed to log in through RDP. |
.002 | Remote Services: SMB/Windows Admin Shares |
Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems. |
||
.003 | Remote Services: Distributed Component Object Model |
Modify Registry settings (directly or using Dcomcnfg.exe) in Modify Registry settings (directly or using Dcomcnfg.exe) in |
||
.006 | Remote Services: Windows Remote Management |
If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions. |
||
Enterprise | T1053 | Scheduled Task/Job |
Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [17] |
|
.002 | At (Windows) |
Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [17] |
||
.005 | Scheduled Task |
Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [17] |
||
.006 | Systemd Timers |
Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files. |
||
.007 | Container Orchestration Job |
Ensure containers are not running as root by default. |
||
Enterprise | T1505 | Server Software Component |
Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
|
.001 | SQL Stored Procedures |
Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
||
.002 | Transport Agent |
Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
||
.004 | IIS Components |
Do not allow administrator accounts that have permissions to add IIS components to be used for day-to-day operations that may expose these permissions to potential adversaries and/or other unprivileged systems. |
||
Enterprise | T1218 | Signed Binary Proxy Execution |
Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage. |
|
.007 | Msiexec |
Restrict execution of Msiexec.exe to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage. |
||
Enterprise | T1072 | Software Deployment Tools |
Grant access to application deployment systems only to a limited number of authorized administrators. |
|
Enterprise | T1558 | Steal or Forge Kerberos Tickets |
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[18] |
|
.001 | Golden Ticket |
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. |
||
.002 | Silver Ticket |
Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[18] |
||
.003 | Kerberoasting |
Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[18] |
||
Enterprise | T1553 | .006 | Subvert Trust Controls: Code Signing Policy Modification |
Limit the usage of local administrator and domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. |
Enterprise | T1569 | System Services |
Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. |
|
.002 | Service Execution |
Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. |
||
Enterprise | T1552 | Unsecured Credentials |
If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary. |
|
.002 | Credentials in Registry |
If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary. |
||
.007 | Container API |
Use the principle of least privilege for privileged accounts such as the service account in Kubernetes. |
||
Enterprise | T1550 | Use Alternate Authentication Material |
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. |
|
.002 | Pass the Hash |
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. |
||
.003 | Pass the Ticket |
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.[19] |
||
Enterprise | T1078 | Valid Accounts |
Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [13] [14] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [15] |
|
.002 | Domain Accounts |
Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained. |
||
.003 | Local Accounts |
Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [13] [14] These audits should check if new local accounts are created that have not be authorized. Implementing LAPS may help prevent reuse of local administrator credentials across a domain.[20] |
||
.004 | Cloud Accounts |
Review privileged cloud account permission levels routinely to look for those that could allow an adversary to gain wide access.[13][14] These reviews should also check if new privileged cloud accounts have been created that were not authorized. |
||
Enterprise | T1047 | Windows Management Instrumentation |
Prevent credential overlap across systems of administrator and privileged accounts. [7] |