User Account Management, Mitigation M1018 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>User Account Management, Mitigation M1018 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/mitigations">Mitigations</a></li> <li class="breadcrumb-item">User Account Management</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> User Account Management </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Manage the creation, modification, use, and permissions associated to user accounts.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> M1018</div> <div class="card-data"><span class="h5 card-title">Version:</span> 1.1</div> <div class="card-data"><span class="h5 card-title">Created: </span>06 June 2019</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>20 May 2020</div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of M1018" href="/versions/v16/mitigations/M1018/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of M1018" href="/versions/v16/mitigations/M1018/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div>  <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&CK<sup>®</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/mitigations/M1018/M1018-enterprise-layer.json" download target="_blank">download</a>  <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "mitigations/M1018/M1018-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div>  <h2 class="pt-3 mb-2" id="techniques">Techniques Addressed by Mitigation</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1548">T1548</a> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/005">.005</a> </td> <td> <a href="/techniques/T1548/005">Temporary Elevated Cloud Access</a> </td> <td> <p>Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1134">T1134</a> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a> </td> <td> <p>An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/001">.001</a> </td> <td> <a href="/techniques/T1134/001">Token Impersonation/Theft</a> </td> <td> <p>An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/002">.002</a> </td> <td> <a href="/techniques/T1134/002">Create Process with Token</a> </td> <td> <p>An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/003">.003</a> </td> <td> <a href="/techniques/T1134/003">Make and Impersonate Token</a> </td> <td> <p>An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1087">T1087</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a> </td> <td> <p>Manage the creation, modification, use, and permissions associated to user accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/004">.004</a> </td> <td> <a href="/techniques/T1087/004">Cloud Account</a> </td> <td> <p>Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1098">T1098</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a> </td> <td> <p>Ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/001">.001</a> </td> <td> <a href="/techniques/T1098/001">Additional Cloud Credentials</a> </td> <td> <p>Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the <code>sts:GetFederationToken</code> API unless explicitly required.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title=" Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023."data-reference="Crowdstrike AWS User Federation Persistence"><sup><a href="https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/003">.003</a> </td> <td> <a href="/techniques/T1098/003">Additional Cloud Roles</a> </td> <td> <p>Ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/004">.004</a> </td> <td> <a href="/techniques/T1098/004">SSH Authorized Keys</a> </td> <td> <p>In cloud environments, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/006">.006</a> </td> <td> <a href="/techniques/T1098/006">Additional Container Cluster Roles</a> </td> <td> <p>Ensure that low-privileged accounts do not have permissions to add permissions to accounts or to update container cluster roles. </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1020">T1020</a> </td> <td> <a href="/techniques/T1020/001">.001</a> </td> <td> <a href="/techniques/T1020">Automated Exfiltration</a>: <a href="/techniques/T1020/001">Traffic Duplication</a> </td> <td> <p>In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1197">T1197</a> </td> <td> <a href="/techniques/T1197">BITS Jobs</a> </td> <td> <p>Consider limiting access to the BITS interface to specific users or groups.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018."data-reference="Symantec BITS May 2007"><sup><a href="https://www.symantec.com/connect/blogs/malware-update-windows-update" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547/004">.004</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/004">Winlogon Helper DLL</a> </td> <td> <p>Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/006">.006</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/006">Kernel Modules and Extensions</a> </td> <td> <p>Use MDM to disable user's ability to install or approve kernel extensions, and ensure all approved kernel extensions are in alignment with policies specified in <code>com.apple.syspolicy.kernel-extension-policy</code>.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Apple. (2018, April 19). Technical Note TN2459: User-Approved Kernel Extension Loading. Retrieved June 30, 2020."data-reference="Apple TN2459 Kernel Extensions"><sup><a href="https://developer.apple.com/library/archive/technotes/tn2459/_index.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Apple. (2019, May 3). Configuration Profile Reference, Developer. Retrieved April 15, 2022."data-reference="MDMProfileConfigMacOS"><sup><a href="https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/009">.009</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/009">Shortcut Modification</a> </td> <td> <p>Limit Privileges for Shortcut Creation: While the SeCreateSymbolicLinkPrivilege is not directly related to .lnk file creation, you should still enforce least privilege principles by limiting user rights to create and modify shortcuts, especially in system-critical locations. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="UCF. (n.d.). Unauthorized accounts must not have the Create symbolic links user right.. Retrieved December 18, 2017."data-reference="UCF STIG Symbolic Links"><sup><a href="https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p><p>Regular User Permissions Review: Regularly review and audit user permissions to ensure that only necessary accounts have write access to startup folders and critical system directories.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/012">.012</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/012">Print Processors</a> </td> <td> <p>Limit user accounts that can load or unload device drivers by disabling <code>SeLoadDriverPrivilege</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/013">.013</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/013">XDG Autostart Entries</a> </td> <td> <p>Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1185">T1185</a> </td> <td> <a href="/techniques/T1185">Browser Session Hijacking</a> </td> <td> <p>Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and <a href="/techniques/T1548/002">Bypass User Account Control</a> opportunities can limit the exposure to this technique.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1110">T1110</a> </td> <td> <a href="/techniques/T1110">Brute Force</a> </td> <td> <p>Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1110/004">.004</a> </td> <td> <a href="/techniques/T1110/004">Credential Stuffing</a> </td> <td> <p>Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1580">T1580</a> </td> <td> <a href="/techniques/T1580">Cloud Infrastructure Discovery</a> </td> <td> <p>Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1538">T1538</a> </td> <td> <a href="/techniques/T1538">Cloud Service Dashboard</a> </td> <td> <p>Enforce the principle of least-privilege by limiting dashboard visibility to only the resources required. This may limit the discovery value of the dashboard in the event of a compromised account.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1619">T1619</a> </td> <td> <a href="/techniques/T1619">Cloud Storage Object Discovery</a> </td> <td> <p>Restrict granting of permissions related to listing objects in cloud storage to necessary accounts.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059/008">.008</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/008">Network Device CLI</a> </td> <td> <p>Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions users can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups so that only authorized users can perform configuration changes. <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - AAA"><sup><a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#38" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1609">T1609</a> </td> <td> <a href="/techniques/T1609">Container Administration Command</a> </td> <td> <p>Enforce authentication and role-based access control on the container service to restrict users to the least privileges required.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022."data-reference="Kubernetes Hardening Guide"><sup><a href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span> When using Kubernetes, avoid giving users wildcard permissions or adding users to the <code>system:masters</code> group, and use <code>RoleBindings</code> rather than <code>ClusterRoleBindings</code> to limit user privileges to specific namespaces.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023."data-reference="Kubernetes RBAC"><sup><a href="https://kubernetes.io/docs/concepts/security/rbac-good-practices/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1613">T1613</a> </td> <td> <a href="/techniques/T1613">Container and Resource Discovery</a> </td> <td> <p>Enforce the principle of least privilege by limiting dashboard visibility to only the required users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the <code>system:masters</code> group, and use <code>RoleBindings</code> rather than <code>ClusterRoleBindings</code> to limit user privileges to specific namespaces.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023."data-reference="Kubernetes RBAC"><sup><a href="https://kubernetes.io/docs/concepts/security/rbac-good-practices/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1543">T1543</a> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Limit privileges of user accounts and groups so that only authorized administrators can interact with system-level process changes and service configurations.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/002">.002</a> </td> <td> <a href="/techniques/T1543/002">Systemd Service</a> </td> <td> <p>Limit user access to system utilities such as <code>systemctl</code> to only users who have a legitimate need.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/003">.003</a> </td> <td> <a href="/techniques/T1543/003">Windows Service</a> </td> <td> <p>Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/004">.004</a> </td> <td> <a href="/techniques/T1543/004">Launch Daemon</a> </td> <td> <p>Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/005">.005</a> </td> <td> <a href="/techniques/T1543/005">Container Service</a> </td> <td> <p>Limit access to utilities such as docker to only users who have a legitimate need, especially if using docker in rootful mode. In Kubernetes environments, only grant privileges to deploy pods to users that require it. </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1555">T1555</a> </td> <td> <a href="/techniques/T1555/003">.003</a> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p>Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/005">.005</a> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/005">Password Managers</a> </td> <td> <p>Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1485">T1485</a> </td> <td> <a href="/techniques/T1485">Data Destruction</a> </td> <td> <p>In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., <code>PutLifecycleConfiguration</code> in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the <code>PutBucketLifecycle</code> API call. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1485/001">.001</a> </td> <td> <a href="/techniques/T1485/001">Lifecycle-Triggered Deletion</a> </td> <td> <p>In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., <code>PutLifecycleConfiguration</code> in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the <code>PutBucketLifecycle</code> API call. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1530">T1530</a> </td> <td> <a href="/techniques/T1530">Data from Cloud Storage</a> </td> <td> <p>Configure user permissions groups and roles for access to cloud storage.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019."data-reference="Microsoft Azure Storage Security, 2019"><sup><a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span> Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019."data-reference="Amazon S3 Security, 2019"><sup><a href="https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span> Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Amazon. (n.d.). Temporary Security Credentials. Retrieved October 18, 2019."data-reference="Amazon AWS Temporary Security Credentials"><sup><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1213">T1213</a> </td> <td> <a href="/techniques/T1213">Data from Information Repositories</a> </td> <td> <p>Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1213/001">.001</a> </td> <td> <a href="/techniques/T1213/001">Confluence</a> </td> <td> <p>Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1213/002">.002</a> </td> <td> <a href="/techniques/T1213/002">Sharepoint</a> </td> <td> <p>Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1213/003">.003</a> </td> <td> <a href="/techniques/T1213/003">Code Repositories</a> </td> <td> <p>Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization for code repositories.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1213/004">.004</a> </td> <td> <a href="/techniques/T1213/004">Customer Relationship Management Software</a> </td> <td> <p>Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1610">T1610</a> </td> <td> <a href="/techniques/T1610">Deploy Container</a> </td> <td> <p>Enforce the principle of least privilege by limiting container dashboard access to only the necessary users. When using Kubernetes, avoid giving users wildcard permissions or adding users to the <code>system:masters</code> group, and use <code>RoleBindings</code> rather than <code>ClusterRoleBindings</code> to limit user privileges to specific namespaces.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023."data-reference="Kubernetes RBAC"><sup><a href="https://kubernetes.io/docs/concepts/security/rbac-good-practices/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1006">T1006</a> </td> <td> <a href="/techniques/T1006">Direct Volume Access</a> </td> <td> <p>Ensure only accounts required to configure and manage backups have the privileges to do so. Monitor these accounts for unauthorized backup activity.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1484">T1484</a> </td> <td> <a href="/techniques/T1484">Domain or Tenant Policy Modification</a> </td> <td> <p>Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Robbins, A. (2018, April 2). A Red Teamer鈥檚 Guide to GPOs and OUs. Retrieved March 5, 2019."data-reference="Wald0 Guide to GPOs"><sup><a href="https://wald0.com/?p=179" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019."data-reference="Microsoft WMI Filters"><sup><a href="https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019."data-reference="Microsoft GPO Security Filtering"><sup><a href="https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1484/001">.001</a> </td> <td> <a href="/techniques/T1484/001">Group Policy Modification</a> </td> <td> <p>Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Robbins, A. (2018, April 2). A Red Teamer鈥檚 Guide to GPOs and OUs. Retrieved March 5, 2019."data-reference="Wald0 Guide to GPOs"><sup><a href="https://wald0.com/?p=179" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019."data-reference="Microsoft WMI Filters"><sup><a href="https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019."data-reference="Microsoft GPO Security Filtering"><sup><a href="https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1484/002">.002</a> </td> <td> <a href="/techniques/T1484/002">Trust Modification</a> </td> <td> <p>In cloud environments, limit permissions to create new identity providers to only those accounts that require them. In AWS environments, consider using Service Control policies to limit the use of API calls such as <code>CreateSAMLProvider</code> or <code>CreateOpenIDConnectProvider</code>. </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1546">T1546</a> </td> <td> <a href="/techniques/T1546/003">.003</a> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a> </td> <td> <p>By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1048">T1048</a> </td> <td> <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a> </td> <td> <p>Configure user permissions groups and roles for access to cloud storage.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019."data-reference="Microsoft Azure Storage Security, 2019"><sup><a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span> Implement strict Identity and Access Management (IAM) controls to prevent access to storage solutions except for the applications, users, and services that require access.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019."data-reference="Amazon S3 Security, 2019"><sup><a href="https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span> Ensure that temporary access tokens are issued rather than permanent credentials, especially when access is being granted to entities outside of the internal security boundary.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Amazon. (n.d.). Temporary Security Credentials. Retrieved October 18, 2019."data-reference="Amazon AWS Temporary Security Credentials"><sup><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1657">T1657</a> </td> <td> <a href="/techniques/T1657">Financial Theft</a> </td> <td> <p>Limit access/authority to execute sensitive transactions, and switch to systems and procedures designed to authenticate/approve payments and purchase requests outside of insecure communication lines such as email.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1606">T1606</a> </td> <td> <a href="/techniques/T1606">Forge Web Credentials</a> </td> <td> <p>Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020."data-reference="Microsoft SolarWinds Customer Guidance"><sup><a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span> In AWS environments, prohibit users from calling the <code>sts:GetFederationToken</code> API unless explicitly required.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title=" Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023."data-reference="Crowdstrike AWS User Federation Persistence"><sup><a href="https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1606/002">.002</a> </td> <td> <a href="/techniques/T1606/002">SAML Tokens</a> </td> <td> <p>Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020."data-reference="Microsoft SolarWinds Customer Guidance"><sup><a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1574">T1574</a> </td> <td> <a href="/techniques/T1574">Hijack Execution Flow</a> </td> <td> <p>Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.</p><p>Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:\Windows\</code>, to reduce places where malicious files could be placed for execution.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/005">.005</a> </td> <td> <a href="/techniques/T1574/005">Executable Installer File Permissions Weakness</a> </td> <td> <p>Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/010">.010</a> </td> <td> <a href="/techniques/T1574/010">Services File Permissions Weakness</a> </td> <td> <p>Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/012">.012</a> </td> <td> <a href="/techniques/T1574/012">COR_PROFILER</a> </td> <td> <p>Limit the privileges of user accounts so that only authorized administrators can edit system environment variables.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/002">.002</a> </td> <td> <a href="/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/004">.004</a> </td> <td> <a href="/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p>Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/006">.006</a> </td> <td> <a href="/techniques/T1562/006">Indicator Blocking</a> </td> <td> <p>Ensure event tracers/forwarders <span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018."data-reference="Microsoft ETW May 2018"><sup><a href="https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span>, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/007">.007</a> </td> <td> <a href="/techniques/T1562/007">Disable or Modify Cloud Firewall</a> </td> <td> <p>Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020."data-reference="Expel IO Evil in AWS"><sup><a href="https://expel.io/blog/finding-evil-in-aws/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/008">.008</a> </td> <td> <a href="/techniques/T1562/008">Disable or Modify Cloud Logs</a> </td> <td> <p>Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/012">.012</a> </td> <td> <a href="/techniques/T1562/012">Disable or Modify Linux Audit System</a> </td> <td> <p>An adversary must already have root level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1490">T1490</a> </td> <td> <a href="/techniques/T1490">Inhibit System Recovery</a> </td> <td> <p>Limit the user accounts that have access to backups to only those required. In AWS environments, consider using Service Control Policies to restrict API calls to delete backups, snapshots, and images. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1654">T1654</a> </td> <td> <a href="/techniques/T1654">Log Enumeration</a> </td> <td> <p>Limit the ability to access and export sensitive logs to privileged accounts where possible.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036">Masquerading</a> </td> <td> <p>Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/010">.010</a> </td> <td> <a href="/techniques/T1036/010">Masquerade Account Name</a> </td> <td> <p>Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/006">.006</a> </td> <td> <a href="/techniques/T1556/006">Multi-Factor Authentication</a> </td> <td> <p>Ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/009">.009</a> </td> <td> <a href="/techniques/T1556/009">Conditional Access Policies</a> </td> <td> <p>Limit permissions to modify conditional access policies to only those required.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1578">T1578</a> </td> <td> <a href="/techniques/T1578">Modify Cloud Compute Infrastructure</a> </td> <td> <p>Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."data-reference="Mandiant M-Trends 2020"><sup><a href="https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1578/001">.001</a> </td> <td> <a href="/techniques/T1578/001">Create Snapshot</a> </td> <td> <p>Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."data-reference="Mandiant M-Trends 2020"><sup><a href="https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1578/002">.002</a> </td> <td> <a href="/techniques/T1578/002">Create Cloud Instance</a> </td> <td> <p>Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."data-reference="Mandiant M-Trends 2020"><sup><a href="https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1578/003">.003</a> </td> <td> <a href="/techniques/T1578/003">Delete Cloud Instance</a> </td> <td> <p>Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020."data-reference="Mandiant M-Trends 2020"><sup><a href="https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1578/005">.005</a> </td> <td> <a href="/techniques/T1578/005">Modify Cloud Compute Configurations</a> </td> <td> <p>Limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1666">T1666</a> </td> <td> <a href="/techniques/T1666">Modify Cloud Resource Hierarchy</a> </td> <td> <p>Limit permissions to add, delete, or modify resource groups to only those required. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1040">T1040</a> </td> <td> <a href="/techniques/T1040">Network Sniffing</a> </td> <td> <p>In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1566">T1566</a> </td> <td> <a href="/techniques/T1566/001">.001</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p>Apply user account management principles to limit permissions for accounts interacting with email attachments, ensuring that only necessary accounts have the ability to open or execute files. Restricting account privileges reduces the potential impact of malicious attachments by preventing unauthorized execution or spread of malware within the environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1566/002">.002</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p>Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1566/003">.003</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/003">Spearphishing via Service</a> </td> <td> <p>Enforce strict user account management policies on third-party service accounts to control access and limit privileges. Configure accounts with the minimum permissions necessary to perform their roles and regularly review access levels. This minimizes the risk of adversaries exploiting service accounts to execute spearphishing attacks or gain unauthorized access to sensitive resources.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1563">T1563</a> </td> <td> <a href="/techniques/T1563">Remote Service Session Hijacking</a> </td> <td> <p>Limit remote user permissions if remote access is necessary.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1563/002">.002</a> </td> <td> <a href="/techniques/T1563/002">RDP Hijacking</a> </td> <td> <p>Limit remote user permissions if remote access is necessary.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1021">T1021</a> </td> <td> <a href="/techniques/T1021">Remote Services</a> </td> <td> <p>Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/001">.001</a> </td> <td> <a href="/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p>Limit remote user permissions if remote access is necessary.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/004">.004</a> </td> <td> <a href="/techniques/T1021/004">SSH</a> </td> <td> <p>Limit which user accounts are allowed to login via SSH.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/008">.008</a> </td> <td> <a href="/techniques/T1021/008">Direct Cloud VM Connections</a> </td> <td> <p>Limit which users are allowed to access compute infrastructure via cloud native methods.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a> </td> <td> <p>Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/002">.002</a> </td> <td> <a href="/techniques/T1053/002">At</a> </td> <td> <p>Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. In Linux environments, users account-level access to <code><a href="/software/S0110">at</a></code> can be managed using <code>at.allow</code> and <code>at.deny</code> files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/003">.003</a> </td> <td> <a href="/techniques/T1053/003">Cron</a> </td> <td> <p><code>cron</code> permissions are controlled by <code>/etc/cron.allow and /etc/cron.deny</code>. If there is a <code>cron.allow</code> file, then the user or users that need to use <code>cron</code> will need to be listed in the file. <code>cron.deny</code> is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p>Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/006">.006</a> </td> <td> <a href="/techniques/T1053/006">Systemd Timers</a> </td> <td> <p>Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/007">.007</a> </td> <td> <a href="/techniques/T1053/007">Container Orchestration Job</a> </td> <td> <p>Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1505">T1505</a> </td> <td> <a href="/techniques/T1505">Server Software Component</a> </td> <td> <p>Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify and/or add server software components.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021."data-reference="NSA and ASD Detect and Prevent Web Shells 2020"><sup><a href="https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1505/003">.003</a> </td> <td> <a href="/techniques/T1505/003">Web Shell</a> </td> <td> <p>Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021."data-reference="NSA and ASD Detect and Prevent Web Shells 2020"><sup><a href="https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1648">T1648</a> </td> <td> <a href="/techniques/T1648">Serverless Execution</a> </td> <td> <p>Remove permissions to create, modify, or run serverless resources from users that do not explicitly require them.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1489">T1489</a> </td> <td> <a href="/techniques/T1489">Service Stop</a> </td> <td> <p>Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1072">T1072</a> </td> <td> <a href="/techniques/T1072">Software Deployment Tools</a> </td> <td> <p>Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1528">T1528</a> </td> <td> <a href="/techniques/T1528">Steal Application Access Token</a> </td> <td> <p>Enforce role-based access control to limit accounts to the least privileges they require. A Cloud Access Security Broker (CASB) can be used to set usage policies and manage user permissions on cloud applications to prevent access to application access tokens. In Kubernetes applications, set "automountServiceAccountToken: false" in the YAML specification of pods that do not require access to service account tokens.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022."data-reference="Kubernetes Hardening Guide"><sup><a href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1195">T1195</a> </td> <td> <a href="/techniques/T1195">Supply Chain Compromise</a> </td> <td> <p>Implement robust user account management practices to limit permissions associated with software execution. Ensure that software runs with the lowest necessary privileges, avoiding the use of root or administrator accounts when possible. By restricting permissions, you can minimize the risk of propagation and unauthorized actions in the event of a supply chain compromise, reducing the attack surface for adversaries to exploit within compromised systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1569">T1569</a> </td> <td> <a href="/techniques/T1569">System Services</a> </td> <td> <p>Prevent users from installing their own launch agents or launch daemons.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1569/001">.001</a> </td> <td> <a href="/techniques/T1569/001">Launchctl</a> </td> <td> <p>Prevent users from installing their own launch agents or launch daemons.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1537">T1537</a> </td> <td> <a href="/techniques/T1537">Transfer Data to Cloud Account</a> </td> <td> <p>Limit user account and IAM policies to the least privileges required.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1199">T1199</a> </td> <td> <a href="/techniques/T1199">Trusted Relationship</a> </td> <td> <p>Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. In Office 365 environments, partner relationships and roles can be viewed under the "Partner Relationships" page.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Microsoft. (2022, March 4). Manage partner relationships. Retrieved May 27, 2022."data-reference="Office 365 Partner Relationships"><sup><a href="https://docs.microsoft.com/en-us/microsoft-365/commerce/manage-partners?view=o365-worldwide" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552/007">.007</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/007">Container API</a> </td> <td> <p>Enforce authentication and role-based access control on the container API to restrict users to the least privileges required.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022."data-reference="Kubernetes Hardening Guide"><sup><a href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span> When using Kubernetes, avoid giving users wildcard permissions or adding users to the <code>system:masters</code> group, and use <code>RoleBindings</code> rather than <code>ClusterRoleBindings</code> to limit user privileges to specific namespaces.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023."data-reference="Kubernetes RBAC"><sup><a href="https://kubernetes.io/docs/concepts/security/rbac-good-practices/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1550">T1550</a> </td> <td> <a href="/techniques/T1550">Use Alternate Authentication Material</a> </td> <td> <p>Enforce the principle of least-privilege. Do not allow a domain user to be in the local administrator group on multiple systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1550/002">.002</a> </td> <td> <a href="/techniques/T1550/002">Pass the Hash</a> </td> <td> <p>Do not allow a domain user to be in the local administrator group on multiple systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1550/003">.003</a> </td> <td> <a href="/techniques/T1550/003">Pass the Ticket</a> </td> <td> <p>Do not allow a user to be a local administrator for multiple systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1078">T1078</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a> </td> <td> <p>Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/002">.002</a> </td> <td> <a href="/techniques/T1078/002">Domain Accounts</a> </td> <td> <p>Regularly review and manage domain accounts to ensure that only active, necessary accounts exist. Remove or disable inactive and unnecessary accounts to reduce the risk of adversaries abusing these accounts to gain unauthorized access or move laterally within the network.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/003">.003</a> </td> <td> <a href="/techniques/T1078/003">Local Accounts</a> </td> <td> <p>Enforce user account management practices for local accounts to limit access and remove inactive or unused accounts. By doing so, you reduce the attack surface available to adversaries and prevent unauthorized access to local systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/004">.004</a> </td> <td> <a href="/techniques/T1078/004">Cloud Accounts</a> </td> <td> <p>Periodically review user accounts and remove those that are inactive or unnecessary. Limit the ability for user accounts to create additional accounts.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1047">T1047</a> </td> <td> <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p>By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/" target="_blank"> Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.symantec.com/connect/blogs/malware-update-windows-update" target="_blank"> Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://developer.apple.com/library/archive/technotes/tn2459/_index.html" target="_blank"> Apple. (2018, April 19). Technical Note TN2459: User-Approved Kernel Extension Loading. Retrieved June 30, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf" target="_blank"> Apple. (2019, May 3). Configuration Profile Reference, Developer. Retrieved April 15, 2022. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" target="_blank"> UCF. (n.d.). Unauthorized accounts must not have the Create symbolic links user right.. Retrieved December 18, 2017. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#38" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" target="_blank"> National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://kubernetes.io/docs/concepts/security/rbac-good-practices/" target="_blank"> Kubernetes. (n.d.). Role Based Access Control Good Practices. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide" target="_blank"> Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" target="_blank"> Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="11.0"> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html" target="_blank"> Amazon. (n.d.). Temporary Security Credentials. Retrieved October 18, 2019. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://wald0.com/?p=179" target="_blank"> Robbins, A. (2018, April 2). A Red Teamer鈥檚 Guide to GPOs and OUs. Retrieved March 5, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/" target="_blank"> Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo" target="_blank"> Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" target="_blank"> MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal" target="_blank"> Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://expel.io/blog/finding-evil-in-aws/" target="_blank"> A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf" target="_blank"> Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF" target="_blank"> NSA and ASD. (2020, April 3). Detect and Prevent Web Shell Malware. Retrieved July 23, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://docs.microsoft.com/en-us/microsoft-365/commerce/manage-partners?view=o365-worldwide" target="_blank"> Microsoft. (2022, March 4). Manage partner relationships. Retrieved May 27, 2022. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

User Account Management, Mitigation M1018 - Enterprise | MITRE ATT&CK®