User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.
Techniques Addressed by Mitigation
Domain | ID | Name | Description |
---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
Enterprise | T1197 | BITS Jobs |
Consider limiting access to the BITS interface to specific users or groups. |
Enterprise | T1538 | Cloud Service Dashboard |
Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account. |
Enterprise | T1530 | Data from Cloud Storage Object |
Configure user permissions groups and roles for access to cloud storage. Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access. Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.[7][8][9] |
Enterprise | T1213 | Data from Information Repositories |
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
Enterprise | T1089 | Disabling Security Tools |
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. |
Enterprise | T1157 | Dylib Hijacking |
Prevent users from being able to write files to the search paths for applications. |
Enterprise | T1044 | File System Permissions Weakness |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. |
Enterprise | T1484 | Group Policy Modification |
Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.[1][2][3] |
Enterprise | T1054 | Indicator Blocking |
Ensure event tracers/forwarders, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.[4] |
Enterprise | T1159 | Launch Agent |
Restrict user's abilities to create Launch Agents with group policy. |
Enterprise | T1160 | Launch Daemon |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. |
Enterprise | T1152 | Launchctl |
Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy. |
Enterprise | T1168 | Local Job Scheduling |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs. |
Enterprise | T1162 | Login Item |
Restrict users from being able to create their own login items. |
Enterprise | T1185 | Man in the Browser |
Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique. |
Enterprise | T1031 | Modify Existing Service |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. |
Enterprise | T1050 | New Service |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services. |
Enterprise | T1075 | Pass the Hash |
Do not allow a domain user to be in the local administrator group on multiple systems. |
Enterprise | T1097 | Pass the Ticket |
Do not allow a user to be a local administrator for multiple systems. |
Enterprise | T1034 | Path Interception |
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
Enterprise | T1163 | Rc.common |
Limit privileges of user accounts so only authorized users can edit the rc.common file. |
Enterprise | T1076 | Remote Desktop Protocol |
Limit remote user permissions if remote access is necessary. |
Enterprise | T1021 | Remote Services |
Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. |
Enterprise | T1053 | Scheduled Task |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
Enterprise | T1489 | Service Stop |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. |
Enterprise | T1051 | Shared Webroot |
Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems.[5][6] |
Enterprise | T1023 | Shortcut Modification |
Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. |
Enterprise | T1165 | Startup Items |
Appropriate permissions should be applied such that only specific users can edit the startup items so that they can be leveraged for privilege escalation. |
Enterprise | T1528 | Steal Application Access Token |
A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens. |
Enterprise | T1501 | Systemd Service |
Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need. |
Enterprise | T1072 | Third-party Software |
Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation. |
Enterprise | T1537 | Transfer Data to Cloud Account |
Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts. |
Enterprise | T1078 | Valid Accounts |
Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Configure user permissions, groups, and roles for access to cloud-based systems as well. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Consider using temporary credentials that are only good for a certain period of time in cloud environments to reduce the effectiveness of compromised accounts. |
Enterprise | T1047 | Windows Management Instrumentation |
By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. |
Enterprise | T1084 | Windows Management Instrumentation Event Subscription |
By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. |
Enterprise | T1004 | Winlogon Helper DLL |
Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes. |
References
- Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.
- Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019.
- Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019.
- Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018.
- Acunetix. (n.d.). Web Server Security and Database Server Security. Retrieved July 26, 2018.
- Scarfone, K. et al.. (2008, July). NIST Special Publication 800-123 - Guide to General Server Security. Retrieved July 26, 2018.
- Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.
- Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.
- Amazon. (n.d.). Temporary Security Credentials. Retrieved October 18, 2019.