User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

ID: M1018
Version: 1.0

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1134 Access Token Manipulation

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Enterprise T1197 BITS Jobs

Consider limiting access to the BITS interface to specific users or groups.

Enterprise T1538 Cloud Service Dashboard

Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account.

Enterprise T1530 Data from Cloud Storage Object

Configure user permissions groups and roles for access to cloud storage. Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access. Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.[7][8][9]

Enterprise T1213 Data from Information Repositories

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Enterprise T1089 Disabling Security Tools

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Enterprise T1157 Dylib Hijacking

Prevent users from being able to write files to the search paths for applications.

Enterprise T1044 File System Permissions Weakness

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Enterprise T1484 Group Policy Modification

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.[1][2][3]

Enterprise T1054 Indicator Blocking

Ensure event tracers/forwarders, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.[4]

Enterprise T1159 Launch Agent

Restrict user's abilities to create Launch Agents with group policy.

Enterprise T1160 Launch Daemon

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Enterprise T1152 Launchctl

Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.

Enterprise T1168 Local Job Scheduling

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs.

Enterprise T1162 Login Item

Restrict users from being able to create their own login items.

Enterprise T1185 Man in the Browser

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.

Enterprise T1031 Modify Existing Service

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Enterprise T1050 New Service

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.

Enterprise T1075 Pass the Hash

Do not allow a domain user to be in the local administrator group on multiple systems.

Enterprise T1097 Pass the Ticket

Do not allow a user to be a local administrator for multiple systems.

Enterprise T1034 Path Interception

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution.

Enterprise T1163 Rc.common

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Enterprise T1076 Remote Desktop Protocol

Limit remote user permissions if remote access is necessary.

Enterprise T1021 Remote Services

Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.

Enterprise T1053 Scheduled Task

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Enterprise T1489 Service Stop

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Enterprise T1051 Shared Webroot

Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems.[5][6]

Enterprise T1023 Shortcut Modification

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links.

Enterprise T1165 Startup Items

Appropriate permissions should be applied such that only specific users can edit the startup items so that they can be leveraged for privilege escalation.

Enterprise T1528 Steal Application Access Token

A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens.

Enterprise T1501 Systemd Service

Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.

Enterprise T1072 Third-party Software

Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.

Enterprise T1537 Transfer Data to Cloud Account

Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts.

Enterprise T1078 Valid Accounts

Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Configure user permissions, groups, and roles for access to cloud-based systems as well. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Consider using temporary credentials that are only good for a certain period of time in cloud environments to reduce the effectiveness of compromised accounts.

Enterprise T1047 Windows Management Instrumentation

By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

Enterprise T1084 Windows Management Instrumentation Event Subscription

By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.

Enterprise T1004 Winlogon Helper DLL

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

References