User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

ID: M1018

Version: 1.1

Created: 06 June 2019

Last Modified: 20 May 2020

Techniques Addressed by Mitigation

Domain	ID		Name	Use
Enterprise	T1134		Access Token Manipulation	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
		.001	Token Impersonation/Theft	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
		.002	Create Process with Token	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
		.003	Make and Impersonate Token	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
Enterprise	T1087	.004	Account Discovery: Cloud Account	Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.
Enterprise	T1197		BITS Jobs	Consider limiting access to the BITS interface to specific users or groups. ^[1]
Enterprise	T1547	.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.
		.009	Boot or Logon Autostart Execution: Shortcut Modification	Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. ^[2]
		.012	Boot or Logon Autostart Execution: Print Processors	Limit user accounts that can load or unload device drivers by disabling `SeLoadDriverPrivilege`.
Enterprise	T1110		Brute Force	Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.
		.004	Credential Stuffing	Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.
Enterprise	T1580		Cloud Infrastructure Discovery	Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.
Enterprise	T1538		Cloud Service Dashboard	Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account.
Enterprise	T1059	.008	Command and Scripting Interpreter: Network Device CLI	Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions users can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups so that only authorized users can perform configuration changes. ^[3]
Enterprise	T1543		Create or Modify System Process	Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.
		.001	Launch Agent	Restrict user's abilities to create Launch Agents with group policy.
		.002	Systemd Service	Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.
		.003	Windows Service	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.
		.004	Launch Daemon	Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.
Enterprise	T1530		Data from Cloud Storage Object	Configure user permissions groups and roles for access to cloud storage.^[4] Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.^[5] Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.^[6]
Enterprise	T1213		Data from Information Repositories	Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
		.001	Confluence	Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
		.002	Sharepoint	Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.
Enterprise	T1484		Domain Policy Modification	Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.^[7]^[8]^[9]
		.001	Group Policy Modification	Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.^[7]^[8]^[9]
Enterprise	T1546	.003	Event Triggered Execution: Windows Management Instrumentation Event Subscription	By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.
Enterprise	T1606		Forge Web Credentials	Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.^[10]
		.002	SAML Tokens	Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.^[10]
Enterprise	T1574		Hijack Execution Flow	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:` and system directories, such as `C:\Windows\`, to reduce places where malicious files could be placed for execution.
		.010	Services File Permissions Weakness	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
		.005	Executable Installer File Permissions Weakness	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
		.012	COR_PROFILER	Limit the privileges of user accounts so that only authorized administrators can edit system environment variables.
Enterprise	T1562		Impair Defenses	Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
		.001	Disable or Modify Tools	Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.
		.002	Disable Windows Event Logging	Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.
		.004	Disable or Modify System Firewall	Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.
		.006	Indicator Blocking	Ensure event tracers/forwarders ^[11], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.
		.007	Disable or Modify Cloud Firewall	Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.^[12]
		.008	Disable Cloud Logs	Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.
Enterprise	T1185		Man in the Browser	Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.
Enterprise	T1578		Modify Cloud Compute Infrastructure	Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.^[13]
		.002	Create Cloud Instance	Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.^[13]
		.001	Create Snapshot	Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.^[13]
		.003	Delete Cloud Instance	Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.^[13]
Enterprise	T1563		Remote Service Session Hijacking	Limit remote user permissions if remote access is necessary.
		.002	RDP Hijacking	Limit remote user permissions if remote access is necessary.
Enterprise	T1021		Remote Services	Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.
		.001	Remote Desktop Protocol	Limit remote user permissions if remote access is necessary.
		.004	SSH	Limit which user accounts are allowed to login via SSH.
Enterprise	T1053		Scheduled Task/Job	Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.
		.002	At (Windows)	Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.
		.005	Scheduled Task	Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.
		.001	At (Linux)	Users account-level access to `at` can be managed using `/etc/at.allow` and `/etc/at.deny` files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.
		.004	Launchd	Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.
		.003	Cron	`cron` permissions are controlled by `/etc/cron.allow and /etc/cron.deny`. If there is a `cron.allow` file, then the user or users that need to use `cron` will need to be listed in the file. `cron.deny` is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron.
		.006	Systemd Timers	Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need.
Enterprise	T1489		Service Stop	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.
Enterprise	T1072		Software Deployment Tools	Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.
Enterprise	T1528		Steal Application Access Token	A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens.
Enterprise	T1569		System Services	Prevent users from installing their own launch agents or launch daemons.
		.001	Launchctl	Prevent users from installing their own launch agents or launch daemons.
Enterprise	T1537		Transfer Data to Cloud Account	Limit user account and IAM policies to the least privileges required. Consider using temporary credentials for accounts that are only valid for a certain period of time to reduce the effectiveness of compromised accounts.
Enterprise	T1550		Use Alternate Authentication Material	Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems.
		.002	Pass the Hash	Do not allow a domain user to be in the local administrator group on multiple systems.
		.003	Pass the Ticket	Do not allow a user to be a local administrator for multiple systems.
Enterprise	T1078	.004	Valid Accounts: Cloud Accounts	Periodically review user accounts and remove those that are inactive or unnecessary. Limit the ability for user accounts to create additional accounts.
Enterprise	T1047		Windows Management Instrumentation	By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

References

Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.
UCF. (n.d.). Unauthorized accounts must not have the Create symbolic links user right.. Retrieved December 18, 2017.
Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020.
Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.
Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.
Amazon. (n.d.). Temporary Security Credentials. Retrieved October 18, 2019.
Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.