User Account Management

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Consider limiting access to the BITS interface to specific users or groups.

Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account.

Configure user permissions groups and roles for access to cloud storage. Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access. Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.^[7][8][9]

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Prevent users from being able to write files to the search paths for applications.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.^[1][2][3]

Ensure event tracers/forwarders, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.^[4]

Restrict user's abilities to create Launch Agents with group policy.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs.

Restrict users from being able to create their own login items.

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.

Do not allow a domain user to be in the local administrator group on multiple systems.

Do not allow a user to be a local administrator for multiple systems.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution.

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Limit remote user permissions if remote access is necessary.

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems.^[5][6]

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links.

Appropriate permissions should be applied such that only specific users can edit the startup items so that they can be leveraged for privilege escalation.

A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens.

Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.

Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.

Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts.

Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Configure user permissions, groups, and roles for access to cloud-based systems as well. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Consider using temporary credentials that are only good for a certain period of time in cloud environments to reduce the effectiveness of compromised accounts.

By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.