User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

ID: M1018
Version: 1.1
Created: 06 June 2019
Last Modified: 20 May 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

.001 Token Impersonation/Theft

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

.002 Create Process with Token

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

.003 Make and Impersonate Token

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Enterprise T1197 BITS Jobs

Consider limiting access to the BITS interface to specific users or groups. [1]

Enterprise T1547 .004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

.009 Boot or Logon Autostart Execution: Shortcut Modification

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. [9]

Enterprise T1110 Brute Force

Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

.004 Credential Stuffing

Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

Enterprise T1538 Cloud Service Dashboard

Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account.

Enterprise T1543 Create or Modify System Process

Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.

.001 Launch Agent

Restrict user's abilities to create Launch Agents with group policy.

.002 Systemd Service

Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.

.003 Windows Service

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

.004 Launch Daemon

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Enterprise T1530 Data from Cloud Storage Object

Configure user permissions groups and roles for access to cloud storage.[5] Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.[6] Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.[7]

Enterprise T1213 Data from Information Repositories

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

.001 Confluence

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

.002 Sharepoint

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.

Enterprise T1484 Group Policy Modification

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.[2][3][4]

Enterprise T1574 Hijack Execution Flow

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution.

.010 Services File Permissions Weakness

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

.005 Executable Installer File Permissions Weakness

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

.012 COR_PROFILER

Limit the privileges of user accounts so that only authorized administrators can edit system environment variables.

Enterprise T1562 Impair Defenses

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

.001 Disable or Modify Tools

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

.002 Disable Windows Event Logging

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

.004 Disable or Modify System Firewall

Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

.006 Indicator Blocking

Ensure event tracers/forwarders [10], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.

.007 Disable or Modify Cloud Firewall

Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.[11]

Enterprise T1185 Man in the Browser

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.

Enterprise T1578 Modify Cloud Compute Infrastructure

Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8]

.002 Create Cloud Instance

Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8]

.001 Create Snapshot

Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8]

.003 Delete Cloud Instance

Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.[8]

Enterprise T1563 Remote Service Session Hijacking

Limit remote user permissions if remote access is necessary.

.002 RDP Hijacking

Limit remote user permissions if remote access is necessary.

Enterprise T1021 Remote Services

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

.001 Remote Desktop Protocol

Limit remote user permissions if remote access is necessary.

.004 SSH

Limit which user accounts are allowed to login via SSH.

Enterprise T1053 Scheduled Task/Job

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

.002 At (Windows)

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

.005 Scheduled Task

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

.001 At (Linux)

Users account-level access to at can be managed using /etc/at.allow and /etc/at.deny files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.

.004 Launchd

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

.003 Cron

cron permissions are controlled by /etc/cron.allow and /etc/cron.deny. If there is a cron.allow file, then the user or users that need to use cron will need to be listed in the file. cron.deny is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron.

Enterprise T1489 Service Stop

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Enterprise T1072 Software Deployment Tools

Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.

Enterprise T1528 Steal Application Access Token

A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens.

Enterprise T1569 System Services

Prevent users from installing their own launch agents or launch daemons.

.001 Launchctl

Prevent users from installing their own launch agents or launch daemons.

Enterprise T1537 Transfer Data to Cloud Account

Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts.

Enterprise T1550 Use Alternate Authentication Material

Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems.

.002 Pass the Hash

Do not allow a domain user to be in the local administrator group on multiple systems.

.003 Pass the Ticket

Do not allow a user to be a local administrator for multiple systems.

Enterprise T1047 Windows Management Instrumentation

By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

References