Skip to content

Hide Navigation Hide TOC

Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f)

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

  • sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
Cluster A Galaxy A Cluster B Galaxy B Level
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 1
Windows Permissions - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Implant Internal Image - T1525 (4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 1
System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 1
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Safe Mode Boot - T1688 (c7660f19-f8c5-4ae3-a5e5-24381c270376) Attack Pattern 1
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 1
Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 1
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern 1
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern 1
Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 1
Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern 1
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 1
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Firmware Corruption - T1495 (f5bb433e-bdf6-4781-84bc-35e97e43be89) Attack Pattern 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf) Attack Pattern 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 2
Windows Permissions - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern 2
Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 2
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 2
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf) Attack Pattern 2