Skip to content

M1026 Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Item Value
ID M1026
Version 1.1
Created 06 June 2019
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism Remove users from the local administrator group on systems.
enterprise T1548.002 Bypass User Account Control Remove users from the local administrator group on systems.
enterprise T1548.003 Sudo and Sudo Caching By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.
enterprise T1548.003 Sudo and Sudo Caching By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.
enterprise T1548.003 Sudo and Sudo Caching By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file. Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed.
enterprise T1134 Access Token Manipulation Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. 14 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.15
enterprise T1134.001 Token Impersonation/Theft Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. 14 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.15
enterprise T1134.002 Create Process with Token Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. 14 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.15
enterprise T1134.003 Make and Impersonate Token Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. 14 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.15
enterprise T1098 Account Manipulation Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1098.001 Additional Cloud Credentials Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1098.002 Additional Email Delegate Permissions Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1098.003 Additional Cloud Roles Ensure that all accounts use the least privileges they require.
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.006 Kernel Modules and Extensions Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.
enterprise T1612 Build Image on Host Ensure containers are not running as root by default. In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers.5
enterprise T1059 Command and Scripting Interpreter When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.18
enterprise T1059.001 PowerShell When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.18
enterprise T1059.008 Network Device CLI Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization6 7
enterprise T1609 Container Administration Command Ensure containers are not running as root by default. In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers.5
enterprise T1136 Create Account Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1136.001 Local Account Limit the usage of local administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.
enterprise T1136.002 Domain Account Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1136.003 Cloud Account Do not allow privileged accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges.
enterprise T1484 Domain Policy Modification Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.
enterprise T1484.002 Domain Trust Modification Use the principal of least privilege and protect administrative access to domain trusts.
enterprise T1611 Escape to Host Ensure containers are not running as root by default. In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers.5
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Prevent credential overlap across systems of administrator and privileged accounts.12
enterprise T1190 Exploit Public-Facing Application Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.
enterprise T1210 Exploitation of Remote Services Minimize permissions and access for service accounts to limit impact of exploitation.
enterprise T1222 File and Directory Permissions Modification Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.
enterprise T1222.001 Windows File and Directory Permissions Modification Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.
enterprise T1495 Firmware Corruption Prevent adversary access to privileged accounts or access necessary to replace system firmware.
enterprise T1606 Forge Web Credentials Restrict permissions and access to the AD FS server to only originate from privileged access workstations.13
enterprise T1606.002 SAML Tokens Restrict permissions and access to the AD FS server to only originate from privileged access workstations.13
enterprise T1562 Impair Defenses -
enterprise T1562.009 Safe Mode Boot Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.21
enterprise T1525 Implant Internal Image Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege.
enterprise T1056 Input Capture -
enterprise T1056.003 Web Portal Capture Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1559 Inter-Process Communication Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.9
enterprise T1559.001 Component Object Model Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{AppID_GUID} associated with the process-wide security of individual COM applications.9
enterprise T1556 Modify Authentication Process Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. 2 3 These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. 4
enterprise T1556.001 Domain Controller Authentication Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. 2 3 These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. 4
enterprise T1556.003 Pluggable Authentication Modules Limit access to the root account and prevent users from modifying PAM components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.
enterprise T1556.004 Network Device Authentication Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
enterprise T1556.005 Reversible Encryption Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.23 These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.4
enterprise T1601 Modify System Image Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
enterprise T1601.001 Patch System Image Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
enterprise T1601.002 Downgrade System Image Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
enterprise T1599 Network Boundary Bridging Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
enterprise T1599.001 Network Address Translation Traversal Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.
enterprise T1003 OS Credential Dumping Windows:
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.4
enterprise T1003.001 LSASS Memory Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
enterprise T1003.002 Security Account Manager Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
enterprise T1003.003 NTDS Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
enterprise T1003.004 LSA Secrets Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.19
enterprise T1003.005 Cached Domain Credentials Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
enterprise T1003.006 DCSync Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
enterprise T1003.007 Proc Filesystem Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing sensitive information.
enterprise T1003.008 /etc/passwd and /etc/shadow Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.
enterprise T1542 Pre-OS Boot Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions
enterprise T1542.001 System Firmware Prevent adversary access to privileged accounts or access necessary to perform this technique.
enterprise T1542.003 Bootkit Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.
enterprise T1542.005 TFTP Boot Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. 6 7
enterprise T1055 Process Injection Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.
enterprise T1055.008 Ptrace System Calls Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.
enterprise T1563 Remote Service Session Hijacking Do not allow remote access to services as a privileged account unless necessary.
enterprise T1563.001 SSH Hijacking Do not allow remote access via SSH as root or other privileged accounts.
enterprise T1563.002 RDP Hijacking Consider removing the local Administrators group from the list of groups allowed to log in through RDP.
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Consider removing the local Administrators group from the list of groups allowed to log in through RDP.
enterprise T1021.002 SMB/Windows Admin Shares Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.
enterprise T1021.003 Distributed Component Object Model Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{{AppID_GUID}} associated with the process-wide security of individual COM applications.9
enterprise T1021.006 Windows Remote Management If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.
enterprise T1053 Scheduled Task/Job Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 1
enterprise T1053.002 At Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 1
enterprise T1053.005 Scheduled Task Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 1
enterprise T1053.006 Systemd Timers Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files.
enterprise T1053.007 Container Orchestration Job Ensure containers are not running as root by default. In Kubernetes environments, consider defining a Pod Security Policy that prevents pods from running privileged containers.5
enterprise T1505 Server Software Component Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1505.001 SQL Stored Procedures Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1505.002 Transport Agent Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
enterprise T1505.004 IIS Components Do not allow administrator accounts that have permissions to add IIS components to be used for day-to-day operations that may expose these permissions to potential adversaries and/or other unprivileged systems.
enterprise T1072 Software Deployment Tools Grant access to application deployment systems only to a limited number of authorized administrators.
enterprise T1558 Steal or Forge Kerberos Tickets Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.
enterprise T1558.001 Golden Ticket Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.
enterprise T1558.002 Silver Ticket Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.17
enterprise T1558.003 Kerberoasting Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.17
enterprise T1553 Subvert Trust Controls -
enterprise T1553.006 Code Signing Policy Modification Limit the usage of local administrator and domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries.
enterprise T1218 System Binary Proxy Execution Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.
enterprise T1218.007 Msiexec Restrict execution of Msiexec.exe to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.
enterprise T1569 System Services Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.
enterprise T1569.002 Service Execution Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.
enterprise T1552 Unsecured Credentials If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
enterprise T1552.002 Credentials in Registry If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.
enterprise T1552.007 Container API Use the principle of least privilege for privileged accounts such as the service account in Kubernetes.
enterprise T1550 Use Alternate Authentication Material Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary’s ability to perform Lateral Movement between systems.
enterprise T1550.002 Pass the Hash Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary’s ability to perform Lateral Movement between systems.
enterprise T1550.003 Pass the Ticket Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.8
enterprise T1078 Valid Accounts Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. 2 3 These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. 4
enterprise T1078.002 Domain Accounts Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.
enterprise T1078.003 Local Accounts Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. 2 3 These audits should check if new local accounts are created that have not be authorized. Implementing LAPS may help prevent reuse of local administrator credentials across a domain.20
enterprise T1078.004 Cloud Accounts Review privileged cloud account permission levels routinely to look for those that could allow an adversary to gain wide access.23 These reviews should also check if new privileged cloud accounts have been created that were not authorized.
enterprise T1047 Windows Management Instrumentation Prevent credential overlap across systems of administrator and privileged accounts. 12

References


  1. Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017. 

  2. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. 

  3. Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016. 

  4. Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017. 

  5. National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. 

  6. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020. 

  7. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020. 

  8. Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016. 

  9. Microsoft. (n.d.). Setting Process-Wide Security Through the Registry. Retrieved November 21, 2017. 

  10. Microsoft. (n.d.). Registry Values for System-Wide Security. Retrieved November 21, 2017. 

  11. Microsoft. (n.d.). DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Retrieved November 22, 2017. 

  12. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. 

  13. Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020. 

  14. Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017. 

  15. Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017. 

  16. Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017. 

  17. Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. 

  18. Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015. 

  19. Chad Tilbury. (2017, August 8). 1Windows Credentials: Attack, Mitigation, Defense. Retrieved February 21, 2020. 

  20. Margosis, A.. (2018, December 10). Remote Use of Local Accounts: LAPS Changes Everything. Retrieved March 13, 2020. 

  21. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021. 

Back to top