Skip to content

Hide Navigation Hide TOC

Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f)

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

  • sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
Cluster A Galaxy A Cluster B Galaxy B Level
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern 1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern 1
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Firmware Corruption - T1495 (f5bb433e-bdf6-4781-84bc-35e97e43be89) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 1
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 1
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Implant Internal Image - T1525 (4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 1
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 1
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 1
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 2
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 2
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 2
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 2
Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 2
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2