Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

ID: M1026
Version: 1.1
Created: 06 June 2019
Last Modified: 31 March 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1548 Abuse Elevation Control Mechanism

Remove users from the local administrator group on systems.

By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.

.002 Bypass User Account Control

Remove users from the local administrator group on systems.

.003 Sudo and Sudo Caching

By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.

Enterprise T1134 Access Token Manipulation

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[3]

.001 Token Impersonation/Theft

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[3]

.002 Create Process with Token

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[3]

.003 Make and Impersonate Token

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [1] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[2]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[3]

Enterprise T1098 Account Manipulation

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.001 Additional Cloud Credentials

Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.002 Additional Email Delegate Permissions

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.003 Additional Cloud Roles

Ensure that all accounts use the least privileges they require. In Azure AD environments, consider using Privileged Identity Management (PIM) to define roles that require two or more approvals before assignment to users.[4]

Enterprise T1547 .006 Boot or Logon Autostart Execution: Kernel Modules and Extensions

Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.

Enterprise T1612 Build Image on Host

Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.[5]

Enterprise T1651 Cloud Administration Command

Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.[6] In Azure AD, limit the number of Global and Intune administrators to only those required. In AWS, limit users with permission to execute the ssm:SendCommand action, and use tags to restrict the number of machines those users can execute commands on.[7]

Enterprise T1059 Command and Scripting Interpreter

When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[8]

PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.[9]

.001 PowerShell

When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[8]

PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.[9]

.008 Network Device CLI

Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization[10] [11]

.009 Cloud API

Use of proper Identity and Access Management (IAM) with Role Based Access Control (RBAC) policies to limit actions administrators can perform and provide a history of administrative actions to detect unauthorized use and abuse.

Enterprise T1609 Container Administration Command

Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers and using the NodeRestriction admission controller to deny the kublet access to nodes and pods outside of the node it belongs to.[5] [12]

Enterprise T1136 Create Account

Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.001 Local Account

Limit the number of accounts permitted to create other accounts. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.

.002 Domain Account

Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.003 Cloud Account

Limit the number of accounts with permissions to create other accounts. Do not allow privileged accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.

Enterprise T1555 Credentials from Password Stores

Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require.

.006 Cloud Secrets Management Stores

Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.

Enterprise T1484 Domain Policy Modification

Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.

.002 Domain Trust Modification

Use the principal of least privilege and protect administrative access to domain trusts.

Enterprise T1611 Escape to Host

Ensure containers are not running as root by default and do not use unnecessary privileges or mounted components. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.[5]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Prevent credential overlap across systems of administrator and privileged accounts.[13]

Enterprise T1190 Exploit Public-Facing Application

Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.

Enterprise T1210 Exploitation of Remote Services

Minimize permissions and access for service accounts to limit impact of exploitation.

Enterprise T1222 File and Directory Permissions Modification

Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.

.001 Windows File and Directory Permissions Modification

Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.

.002 Linux and Mac File and Directory Permissions Modification

Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.

Enterprise T1495 Firmware Corruption

Prevent adversary access to privileged accounts or access necessary to replace system firmware.

Enterprise T1606 Forge Web Credentials

Restrict permissions and access to the AD FS server to only originate from privileged access workstations.[14]

.002 SAML Tokens

Restrict permissions and access to the AD FS server to only originate from privileged access workstations.[14]

Enterprise T1562 .009 Impair Defenses: Safe Mode Boot

Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.[15]

Enterprise T1525 Implant Internal Image

Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.

Enterprise T1056 .003 Input Capture: Web Portal Capture

Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Enterprise T1559 Inter-Process Communication

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.[16]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.[17] [18]

.001 Component Object Model

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.[16]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.[17] [18]

Enterprise T1556 Modify Authentication Process

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [19] [20] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [21]

Limit access to the root account and prevent users from modifying protected components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.

Limit on-premises accounts with access to the hybrid identity solution in place. For example, limit Azure AD Global Administrator accounts to only those required, and ensure that these are dedicated cloud-only accounts rather than hybrid ones.[22]

.001 Domain Controller Authentication

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [19] [20] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [21]

.003 Pluggable Authentication Modules

Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.

.004 Network Device Authentication

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

.005 Reversible Encryption

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.[19][20] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[21]

.007 Hybrid Identity

Limit on-premises accounts with access to the hybrid identity solution in place. For example, limit Azure AD Global Administrator accounts to only those required, and ensure that these are dedicated cloud-only accounts rather than hybrid ones.[22]

Enterprise T1601 Modify System Image

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

.001 Patch System Image

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

.002 Downgrade System Image

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

Enterprise T1599 Network Boundary Bridging

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

.001 Network Address Translation Traversal

Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.

Enterprise T1003 OS Credential Dumping

Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[21]

Linux:Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory.

.001 LSASS Memory

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

.002 Security Account Manager

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

.003 NTDS

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

.004 LSA Secrets

Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.[23]

.005 Cached Domain Credentials

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

.006 DCSync

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

.007 Proc Filesystem

Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information.

.008 /etc/passwd and /etc/shadow

Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.

Enterprise T1542 Pre-OS Boot

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions

.001 System Firmware

Prevent adversary access to privileged accounts or access necessary to perform this technique.

.003 Bootkit

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.

.005 TFTP Boot

Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. [10] [11]

Enterprise T1055 Process Injection

Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.

.008 Ptrace System Calls

Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.

Enterprise T1563 Remote Service Session Hijacking

Do not allow remote access to services as a privileged account unless necessary.

.001 SSH Hijacking

Do not allow remote access via SSH as root or other privileged accounts.

.002 RDP Hijacking

Consider removing the local Administrators group from the list of groups allowed to log in through RDP.

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Consider removing the local Administrators group from the list of groups allowed to log in through RDP.

.002 Remote Services: SMB/Windows Admin Shares

Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

.003 Remote Services: Distributed Component Object Model

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{{AppID_GUID}} associated with the process-wide security of individual COM applications.[16]

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole associated with system-wide security defaults for all COM applications that do not set their own process-wide security.[17] [18]

.006 Remote Services: Windows Remote Management

If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.

.007 Remote Services: Cloud Services

Limit the number of high-privileged domain and cloud accounts, and ensure that these are not used for day-to-day operations. Ensure that on-premises accounts do not have privileged cloud permissions and that isolated, cloud-only accounts are used for managing cloud environments.[24]

Enterprise T1053 Scheduled Task/Job

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [25]

.002 At

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [25]

.005 Scheduled Task

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [25]

.006 Systemd Timers

Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files.

.007 Container Orchestration Job

Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.[5]

Enterprise T1505 Server Software Component

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.001 SQL Stored Procedures

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.002 Transport Agent

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

.004 IIS Components

Do not allow administrator accounts that have permissions to add IIS components to be used for day-to-day operations that may expose these permissions to potential adversaries and/or other unprivileged systems.

Enterprise T1072 Software Deployment Tools

Grant access to application deployment systems only to a limited number of authorized administrators.

Enterprise T1558 Steal or Forge Kerberos Tickets

Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[26]

.001 Golden Ticket

Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

.002 Silver Ticket

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[26]

.003 Kerberoasting

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[26]

Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

Limit the usage of local administrator and domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.

Enterprise T1218 System Binary Proxy Execution

Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.

.007 Msiexec

Restrict execution of Msiexec.exe to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.

Enterprise T1569 System Services

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.

.002 Service Execution

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.

Enterprise T1552 Unsecured Credentials

If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.

.002 Credentials in Registry

If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.

.007 Container API

Use the principle of least privilege for privileged accounts such as the service account in Kubernetes. For example, if a pod is not required to access the Kubernetes API, consider disabling the service account altogether.[27]

Enterprise T1550 Use Alternate Authentication Material

Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.

.002 Pass the Hash

Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.

.003 Pass the Ticket

Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.[28]

Enterprise T1078 Valid Accounts

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [19] [20] These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. [21]

.002 Domain Accounts

Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.

.003 Local Accounts

Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. [19] [20] Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.

For example, audit the use of service accounts in Kubernetes, and avoid automatically granting them access to the Kubernetes API if this is not required.[27] Implementing LAPS may also help prevent reuse of local administrator credentials across a domain.[29]

.004 Cloud Accounts

Review privileged cloud account permission levels routinely to look for those that could allow an adversary to gain wide access, such as Global Administrator and Privileged Role Administrator in Azure AD.[19][20][30] These reviews should also check if new privileged cloud accounts have been created that were not authorized. For example, in Azure AD environments configure alerts to notify when accounts have gone many days without using privileged roles, as these roles may be able to be removed.[31] Consider using temporary, just-in-time (JIT) privileged access to Azure AD resources rather than permanently assigning privileged roles.[30]

Enterprise T1047 Windows Management Instrumentation

Prevent credential overlap across systems of administrator and privileged accounts. [13]

References

  1. Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.
  2. Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.
  3. Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.
  4. Microsoft. (2023, January 30). Approve or deny requests for Azure AD roles in Privileged Identity Management. Retrieved February 21, 2023.
  5. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
  6. Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023.
  7. AWS. (n.d.). Setting up Run Command. Retrieved March 13, 2023.
  8. Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015.
  9. Microsoft. (2022, November 17). Just Enough Administration. Retrieved March 27, 2023.
  10. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020.
  11. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020.
  12. Kubernetes. (n.d.). Admission Controllers Reference. Retrieved March 8, 2023.
  13. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  14. Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020.
  15. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
  16. Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017.
  1. Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017.
  2. Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017.
  3. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  4. Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.
  5. Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.
  6. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.
  7. Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020.
  8. Microsoft. (2022, August 26). Protecting Microsoft 365 from on-premises attacks. Retrieved February 21, 2023.
  9. Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.
  10. Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
  11. Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.
  12. Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.
  13. Margosis, A.. (2018, December 10). Remote Use of Local Accounts: LAPS Changes Everything. Retrieved March 13, 2020.
  14. Microsoft. (2022, November 14). Azure security baseline for Azure Active Directory. Retrieved February 21, 2023.
  15. Microsoft. (2022, November 14). Configure security alerts for Azure AD roles in Privileged Identity Management. Retrieved February 21, 2023.