{"description": "Enterprise techniques mitigated by Privileged Account Management, ATT&CK mitigation M1026 (v1.2)", "name": "Privileged Account Management (M1026)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1548", "comment": "Remove users from the local administrator group on systems.\n\nBy requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "Remove users from the local administrator group on systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.003", "comment": "By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.006", "comment": "Remove unnecessary users from the local administrator group on systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "comment": "Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.(Citation: Microsoft Replace Process Token)\n\nAdministrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.(Citation: Microsoft runas)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.(Citation: Microsoft Replace Process Token)\n\nAdministrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.(Citation: Microsoft runas)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.(Citation: Microsoft Replace Process Token)\n\nAdministrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.(Citation: Microsoft runas)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.003", "comment": "Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.(Citation: Microsoft Replace Process Token)\n\nAdministrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.(Citation: Microsoft runas)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1098.001", "comment": "Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.002", "comment": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.003", "comment": "Ensure that all accounts use the least privileges they require. In Azure AD environments, consider using Privileged Identity Management (PIM) to define roles that require two or more approvals before assignment to users.(Citation: Microsoft Requests for Azure AD Roles in Privileged Identity Management)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.006", "comment": "Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1612", "comment": "Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.(Citation: Kubernetes Hardening Guide)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1651", "comment": "Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.(Citation: Mandiant Azure Run Command 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "comment": "When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.(Citation: Netspi PowerShell Execution Policy Bypass)\n\nPowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.(Citation: Microsoft PS JEA)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.(Citation: Netspi PowerShell Execution Policy Bypass)\n\nPowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.(Citation: Microsoft PS JEA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.008", "comment": "Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization(Citation: Cisco IOS Software Integrity Assurance - AAA) (Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.009", "comment": "Use of proper Identity and Access Management (IAM) with Role Based Access Control (RBAC) policies to limit actions administrators can perform and provide a history of administrative actions to detect unauthorized use and abuse.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.013", "comment": "Restrict permissions on API access. RBAC in Kubernetes involve permissions that are additive, meaning there are no explicit \"deny\" rules. These permissions can be defined within a particular namespace or within cluster-scoped resources. Securing the Docker daemon can be done by using SSH or TLS with certificate authorization. Container management tools such as Docker and Podman may offer ways to run containers as rootless, which prevents them from running with privileged permissions.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1609", "comment": "Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers and using the `NodeRestriction` admission controller to deny the kublet access to nodes and pods outside of the node it belongs to.(Citation: Kubernetes Hardening Guide) (Citation: Kubernetes Admission Controllers)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1136", "comment": "Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "Limit the number of accounts permitted to create other accounts. Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136.002", "comment": "Limit the number of accounts with permissions to create other accounts. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136.003", "comment": "Limit the number of accounts with permissions to create other accounts. Do not allow privileged accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "comment": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "Limit the number of accounts and services with permission to query information from password stores to only those required. Ensure that accounts and services with permissions to query password stores only have access to the secrets they require.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.006", "comment": "Limit the number of cloud accounts and services with permission to query the secrets manager to only those required. Ensure that accounts and services with permissions to query the secrets manager only have access to the secrets they require.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "comment": "Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484.002", "comment": "Use the principal of least privilege and protect administrative access to domain trusts and identity tenants.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1611", "comment": "Ensure containers are not running as root by default and do not use unnecessary privileges or mounted components. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.(Citation: Kubernetes Hardening Guide)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "comment": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "Prevent credential overlap across systems of administrator and privileged accounts.(Citation: FireEye WMI 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "Minimize permissions and access for service accounts to limit impact of exploitation.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "comment": "Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1495", "comment": "Prevent adversary access to privileged accounts or access necessary to replace system firmware.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1606", "comment": "Restrict permissions and access to the AD FS server to only originate from privileged access workstations.(Citation: FireEye ADFS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1606.002", "comment": "Restrict permissions and access to the AD FS server to only originate from privileged access workstations.(Citation: FireEye ADFS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.009", "comment": "Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.(Citation: CyberArk Labs Safe Mode 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1525", "comment": "Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.003", "comment": "Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "Modify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Classes\\\\AppID\\\\{AppID_GUID}` associated with the process-wide security of individual COM applications.(Citation: Microsoft Process Wide Com Keys)\n\nModify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Ole` associated with system-wide security defaults for all COM applications that do no set their own process-wide security.(Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "Modify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Classes\\\\AppID\\\\{AppID_GUID}` associated with the process-wide security of individual COM applications.(Citation: Microsoft Process Wide Com Keys)\n\nModify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Ole` associated with system-wide security defaults for all COM applications that do no set their own process-wide security.(Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nLimit access to the root account and prevent users from modifying protected components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.\n\nLimit on-premises accounts with access to the hybrid identity solution in place. For example, limit Azure AD Global Administrator accounts to only those required, and ensure that these are dedicated cloud-only accounts rather than hybrid ones.(Citation: MagicWeb)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.001", "comment": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.003", "comment": "Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.004", "comment": "Restrict administrator accounts to as few individuals as possible, following least privilege principles.  Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.005", "comment": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.(Citation: TechNet Credential Theft)(Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.(Citation: Microsoft Securing Privileged Access)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.007", "comment": "Limit on-premises accounts with access to the hybrid identity solution in place. For example, limit Entra ID Global Administrator accounts to only those required, and ensure that these are dedicated cloud-only accounts rather than hybrid ones.(Citation: MagicWeb)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601", "comment": "Restrict administrator accounts to as few individuals as possible, following least privilege principles.  Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1601.001", "comment": "Restrict administrator accounts to as few individuals as possible, following least privilege principles.  Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601.002", "comment": "Restrict administrator accounts to as few individuals as possible, following least privilege principles.  Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1599", "comment": "Restrict administrator accounts to as few individuals as possible, following least privilege principles.  Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1599.001", "comment": "Restrict administrator accounts to as few individuals as possible, following least privilege principles.  Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "comment": "Windows:\nDo not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.(Citation: Microsoft Securing Privileged Access)\n\nLinux:\nScraping the passwords from memory requires root privileges. Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive regions of memory.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.(Citation: Tilbury Windows Credentials)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.005", "comment": "Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.007", "comment": "Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.008", "comment": "Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "comment": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1542.001", "comment": "Prevent adversary access to privileged accounts or access necessary to perform this technique.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542.003", "comment": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542.005", "comment": "Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. (Citation: Cisco IOS Software Integrity Assurance - AAA) (Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.008", "comment": "Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563", "comment": "Do not allow remote access to services as a privileged account unless necessary.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1563.001", "comment": "Do not allow remote access via SSH as root or other privileged accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563.002", "comment": "Consider removing the local Administrators group from the list of groups allowed to log in through RDP.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "Consider removing the local Administrators group from the list of groups allowed to log in through RDP.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.003", "comment": "Modify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{{AppID_GUID}}` associated with the process-wide security of individual COM applications.(Citation: Microsoft Process Wide Com Keys)\n\nModify Registry settings (directly or using Dcomcnfg.exe) in `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole` associated with system-wide security defaults for all COM applications that do not set their own process-wide security.(Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.006", "comment": "If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.007", "comment": "Limit the number of high-privileged domain and cloud accounts, and ensure that these are not used for day-to-day operations. Ensure that on-premises accounts do not have privileged cloud permissions and that isolated, cloud-only accounts are used for managing cloud environments.(Citation: Protecting Microsoft 365 From On-Premises Attacks)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "comment": "Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1053.002", "comment": "Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.006", "comment": "Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.007", "comment": "Ensure containers are not running as root by default. In Kubernetes environments, consider defining Pod Security Standards that prevent pods from running privileged containers.(Citation: Kubernetes Hardening Guide)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "comment": "Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1505.001", "comment": "Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.002", "comment": "Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.004", "comment": "Do not allow administrator accounts that have permissions to add IIS components to be used for day-to-day operations that may expose these permissions to potential adversaries and/or other unprivileged systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "Grant access to application deployment systems only to a limited number of authorized administrators.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1558", "comment": "Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.\n\nLimit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1558.001", "comment": "Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.002", "comment": "Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.003", "comment": "Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "comment": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1553.006", "comment": "Limit the usage of local administrator and domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "comment": "Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "Restrict execution of Msiexec.exe to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "comment": "Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "comment": "If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.007", "comment": "Use the principle of least privilege for privileged accounts such as the service account in Kubernetes. For example, if a pod is not required to access the Kubernetes API, consider disabling the service account altogether.(Citation: Kubernetes Service Accounts)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "comment": "Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550.003", "comment": "Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.(Citation: ADSecurity AD Kerberos Attacks)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not been authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries. \n\nFor example, audit the use of service accounts in Kubernetes, and avoid automatically granting them access to the Kubernetes API if this is not required.(Citation: Kubernetes Service Accounts) Implementing LAPS may also help prevent reuse of local administrator credentials across a domain.(Citation: Microsoft Remote Use of Local)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "Review privileged cloud account permission levels routinely to look for those that could allow an adversary to gain wide access, such as Global Administrator and Privileged Role Administrator in Azure AD.(Citation: TechNet Credential Theft)(Citation: TechNet Least Privilege)(Citation: Microsoft Azure security baseline for Azure Active Directory) These reviews should also check if new privileged cloud accounts have been created that were not authorized. For example, in Azure AD environments configure alerts to notify when accounts have gone many days without using privileged roles, as these roles may be able to be removed.(Citation: Microsoft Security Alerts for Azure AD Roles) Consider using temporary, just-in-time (JIT) privileged access to Azure AD resources rather than permanently assigning privileged roles.(Citation: Microsoft Azure security baseline for Azure Active Directory)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Privileged Account Management", "color": "#66b1ff"}]}