User Account Management

Limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the `sts:GetFederationToken` API unless explicitly required.(Citation: Crowdstrike AWS User Federation Persistence)

Ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.

In cloud environments, ensure that only users who explicitly require the permissions to update instance metadata or configurations can do so.

Ensure that low-privileged accounts do not have permissions to add permissions to accounts or to update container cluster roles.

Use MDM to disable user's ability to install or approve kernel extensions, and ensure all approved kernel extensions are in alignment with policies specified in com.apple.syspolicy.kernel-extension-policy.(Citation: Apple TN2459 Kernel Extensions)(Citation: MDMProfileConfigMacOS)

Limit Privileges for Shortcut Creation: While the SeCreateSymbolicLinkPrivilege is not directly related to .lnk file creation, you should still enforce least privilege principles by limiting user rights to create and modify shortcuts, especially in system-critical locations. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links) Regular User Permissions Review: Regularly review and audit user permissions to ensure that only necessary accounts have write access to startup folders and critical system directories.

Limit user accounts that can load or unload device drivers by disabling SeLoadDriverPrivilege.

Limit privileges of user accounts so only authorized privileged users can create and modify XDG autostart entries.

Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

Restrict user's abilities to create Launch Agents with group policy.

Limit user access to system utilities such as `systemctl` to only users who have a legitimate need.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Limit access to utilities such as docker to only users who have a legitimate need, especially if using docker in rootful mode. In Kubernetes environments, only grant privileges to deploy pods to users that require it.

Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.

In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., `PutLifecycleConfiguration` in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the `PutBucketLifecycle` API call.

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization for code repositories.

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.(Citation: Wald0 Guide to GPOs)(Citation: Microsoft WMI Filters)(Citation: Microsoft GPO Security Filtering)

In cloud environments, limit permissions to create new identity providers to only those accounts that require them. In AWS environments, consider using Service Control policies to limit the use of API calls such as `CreateSAMLProvider` or `CreateOpenIDConnectProvider`.

Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, Just in Time/Just Enough Administration (JIT/JEA), and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles.(Citation: Microsoft SolarWinds Customer Guidance)

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.

Limit the privileges of user accounts so that only authorized administrators can edit system environment variables.

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.

Ensure proper user permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.

Ensure least privilege principles are applied to Identity and Access Management (IAM) security policies.(Citation: Expel IO Evil in AWS)

Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.

An adversary must already have root level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Consider defining and enforcing a naming convention for user accounts to more easily spot generic account names that do not fit the typical schema.

Ensure that proper policies are implemented to dictate the secure enrollment and deactivation of MFA for user accounts.

Limit permissions to modify conditional access policies to only those required.

Limit permissions for creating snapshots or backups in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)

Limit permissions for creating new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)

Limit permissions for deleting new instances in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.(Citation: Mandiant M-Trends 2020)

Limit permissions to request quotas adjustments or modify tenant-level compute setting to only those required.

Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications.

Enforce strict user account management policies on third-party service accounts to control access and limit privileges. Configure accounts with the minimum permissions necessary to perform their roles and regularly review access levels. This minimizes the risk of adversaries exploiting service accounts to execute spearphishing attacks or gain unauthorized access to sensitive resources.

Limit remote user permissions if remote access is necessary.

Limit remote user permissions if remote access is necessary.

Limit which user accounts are allowed to login via SSH.

Limit which users are allowed to access compute infrastructure via cloud native methods.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. In Linux environments, users account-level access to at can be managed using at.allow and at.deny files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.

cron permissions are controlled by /etc/cron.allow and /etc/cron.deny. If there is a cron.allow file, then the user or users that need to use cron will need to be listed in the file. cron.deny is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need.

Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.

Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.(Citation: NSA and ASD Detect and Prevent Web Shells 2020)

Prevent users from installing their own launch agents or launch daemons.

Do not allow a domain user to be in the local administrator group on multiple systems.

Do not allow a user to be a local administrator for multiple systems.

Regularly review and manage domain accounts to ensure that only active, necessary accounts exist. Remove or disable inactive and unnecessary accounts to reduce the risk of adversaries abusing these accounts to gain unauthorized access or move laterally within the network.

Enforce user account management practices for local accounts to limit access and remove inactive or unused accounts. By doing so, you reduce the attack surface available to adversaries and prevent unauthorized access to local systems.

Periodically review user accounts and remove those that are inactive or unnecessary. Limit the ability for user accounts to create additional accounts.