User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | Access Token Manipulation |
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
|
| .001 | Token Impersonation/Theft |
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
||
| .002 | Create Process with Token |
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
||
| .003 | Make and Impersonate Token |
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
||
| Enterprise | T1197 | BITS Jobs |
Consider limiting access to the BITS interface to specific users or groups. [1] |
|
| Enterprise | T1547 | .004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes. |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. [9] |
||
| Enterprise | T1110 | Brute Force |
Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts. |
|
| .004 | Credential Stuffing |
Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts. |
||
| Enterprise | T1538 | Cloud Service Dashboard |
Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account. |
|
| Enterprise | T1543 | Create or Modify System Process |
Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations. |
|
| .001 | Launch Agent |
Restrict user's abilities to create Launch Agents with group policy. |
||
| .002 | Systemd Service |
Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need. |
||
| .003 | Windows Service |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. |
||
| .004 | Launch Daemon |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. |
||
| Enterprise | T1530 | Data from Cloud Storage Object |
Configure user permissions groups and roles for access to cloud storage.[5] Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.[6] Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.[7] |
|
| Enterprise | T1213 | Data from Information Repositories |
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
|
| .001 | Confluence |
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
||
| .002 | Sharepoint |
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. |
||
| Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. |
| Enterprise | T1484 | Group Policy Modification |
Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.[2][3][4] |
|
| Enterprise | T1574 | Hijack Execution Flow |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
|
| .010 | Services File Permissions Weakness |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. |
||
| .005 | Executable Installer File Permissions Weakness |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. |
||
| .012 | COR_PROFILER |
Limit the privileges of user accounts so that only authorized administrators can edit system environment variables. |
||
| Enterprise | T1562 | Impair Defenses |
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
|
| .001 | Disable or Modify Tools |
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. |
||
| .002 | Disable Windows Event Logging |
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging. |
||
| .004 | Disable or Modify System Firewall |
Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
||
| .006 | Indicator Blocking |
Ensure event tracers/forwarders [10], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts. |
||
| .007 | Disable or Modify Cloud Firewall |
Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.[11] |
||
| Enterprise | T1185 | Man in the Browser |
Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique. |
|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8] |
|
| .002 | Create Cloud Instance |
Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8] |
||
| .001 | Create Snapshot |
Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8] |
||
| .003 | Delete Cloud Instance |
Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8] |
||
| Enterprise | T1563 | Remote Service Session Hijacking |
Limit remote user permissions if remote access is necessary. |
|
| .002 | RDP Hijacking |
Limit remote user permissions if remote access is necessary. |
||
| Enterprise | T1021 | Remote Services |
Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. |
|
| .001 | Remote Desktop Protocol |
Limit remote user permissions if remote access is necessary. |
||
| .004 | SSH |
Limit which user accounts are allowed to login via SSH. |
||
| Enterprise | T1053 | Scheduled Task/Job |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
|
| .002 | At (Windows) |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
||
| .005 | Scheduled Task |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
||
| .001 | At (Linux) |
Users account-level access to |
||
| .004 | Launchd |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons. |
||
| .003 | Cron |
|
||
| Enterprise | T1489 | Service Stop |
Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. |
|
| Enterprise | T1072 | Software Deployment Tools |
Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation. |
|
| Enterprise | T1528 | Steal Application Access Token |
A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens. |
|
| Enterprise | T1569 | System Services |
Prevent users from installing their own launch agents or launch daemons. |
|
| .001 | Launchctl |
Prevent users from installing their own launch agents or launch daemons. |
||
| Enterprise | T1537 | Transfer Data to Cloud Account |
Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts. |
|
| Enterprise | T1550 | Use Alternate Authentication Material |
Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems. |
|
| .002 | Pass the Hash |
Do not allow a domain user to be in the local administrator group on multiple systems. |
||
| .003 | Pass the Ticket |
Do not allow a user to be a local administrator for multiple systems. |
||
| Enterprise | T1047 | Windows Management Instrumentation |
By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. |
|
References
- Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.
- Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.
- Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019.
- Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019.
- Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.
- Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.
- Amazon. (n.d.). Temporary Security Credentials. Retrieved October 18, 2019.
- FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.
- UCF. (n.d.). Unauthorized accounts must not have the Create symbolic links user right.. Retrieved December 18, 2017.
- Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018.
- Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.