M0926 Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
| Item | Value |
|---|---|
| ID | M0926 |
| Version | 1.0 |
| Created | 06 June 2019 |
| Last Modified | 30 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| ics | T0809 | Data Destruction | Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. 1 |
| ics | T0811 | Data from Information Repositories | Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. 1 |
| ics | T0819 | Exploit Public-Facing Application | Use least privilege for service accounts. 2 1 |
| ics | T0866 | Exploitation of Remote Services | Minimize permissions and access for service accounts to limit impact of exploitation. 2 |
| ics | T0842 | Network Sniffing | Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. 1 |
| ics | T0859 | Valid Accounts | Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. 3 4These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. 5 |
References
-
National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ↩↩↩↩
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩↩
-
Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ↩
-
Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ↩
-
Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ↩