Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

ID: M1026
Version: 1.0

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1134 Access Token Manipulation

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[1][2]

Enterprise T1098 Account Manipulation

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Enterprise T1017 Application Deployment Software

Grant access to application deployment systems only to a limited number of authorized administrators. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.

Enterprise T1067 Bootkit

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.

Enterprise T1088 Bypass User Account Control

Remove users from the local administrator group on systems.

Enterprise T1175 Component Object Model and Distributed COM

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{{AppID_GUID}} associated with the process-wide security of individual COM applications.

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security.

Enterprise T1136 Create Account

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Enterprise T1003 Credential Dumping

Windows:Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

Linux:Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory.[3]

Enterprise T1214 Credentials in Registry

If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.

Enterprise T1190 Exploit Public-Facing Application

Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.

Enterprise T1210 Exploitation of Remote Services

Minimize permissions and access for service accounts to limit impact of exploitation.

Enterprise T1495 Firmware Corruption

Prevent adversary access to privileged accounts or access necessary to replace system firmware.

Enterprise T1525 Implant Container Image

Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.

Enterprise T1208 Kerberoasting

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[9]

Enterprise T1215 Kernel Modules and Extensions

Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.

Enterprise T1075 Pass the Hash

Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.

Enterprise T1097 Pass the Ticket

Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.[8]

Enterprise T1086 PowerShell

When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.

Enterprise T1055 Process Injection

Linux

Utilize Yama to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppAmour.

Enterprise T1076 Remote Desktop Protocol

Consider removing the local Administrators group from the list of groups allowed to log in through RDP.

Enterprise T1053 Scheduled Task

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority.[10]

Enterprise T1505 Server Software Component

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Enterprise T1035 Service Execution

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.

Enterprise T1051 Shared Webroot

Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use and unauthenticated network share access.

Enterprise T1218 Signed Binary Proxy Execution

If these binaries are required for use, then restrict execution of them to privileged accounts or groups that need to use them to lessen the opportunities for malicious use.

Enterprise T1184 SSH Hijacking

Do not allow remote access via SSH as root or other privileged accounts.

Enterprise T1169 Sudo

By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.

Enterprise T1206 Sudo Caching

Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.

Enterprise T1019 System Firmware

Prevent adversary access to privileged accounts or access necessary to perform this technique.

Enterprise T1501 Systemd Service

The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.

Enterprise T1072 Third-party Software

Grant access to application deployment systems only to a limited number of authorized administrators.

Enterprise T1078 Valid Accounts

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.[6][7][3]

Enterprise T1100 Web Shell

Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network.[5]

Enterprise T1077 Windows Admin Shares

Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

Enterprise T1047 Windows Management Instrumentation

Prevent credential overlap across systems of administrator and privileged accounts.[4]

Enterprise T1084 Windows Management Instrumentation Event Subscription

Prevent credential overlap across systems of administrator and privileged accounts.[4]

Enterprise T1028 Windows Remote Management

If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.

References