Skip to content

Hide Navigation Hide TOC

Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f)

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

  • sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
Cluster A Galaxy A Cluster B Galaxy B Level
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 1
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 1
Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 1
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern 1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 1
Firmware Corruption - T1495 (f5bb433e-bdf6-4781-84bc-35e97e43be89) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern 1
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf) Attack Pattern 1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Implant Internal Image - T1525 (4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f) Attack Pattern 1
System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 1
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Privileged Account Management - M1026 (9bb9e696-bff8-4ae1-9454-961fc7d91d5f) Course of Action 1
/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee) Attack Pattern Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 2
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 2
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern SQL Stored Procedures - T1505.001 (f9e9365a-9ca2-4d9c-8e7c-050d73d1101a) Attack Pattern 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Credentials - T1098.001 (8a2f40cf-8325-47f9-96e4-b1ca4c7389bd) Attack Pattern 2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 2
Kernel Modules and Extensions - T1547.006 (a1b52199-c8c5-438a-9ded-656f1d0888c6) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Cloud Secrets Management Stores - T1555.006 (cfb525cc-5494-401d-a82b-2539ca46a561) Attack Pattern 2
Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Container Orchestration Job - T1053.007 (1126cab1-c700-412f-a510-61f4937bb096) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 2
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Network Device CLI - T1059.008 (818302b2-d640-477b-bf88-873120ce85c4) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 2
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Transport Agent - T1505.002 (35187df2-31ed-43b6-a1f5-2f1d3d58d3f1) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern 2
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 2
IIS Components - T1505.004 (b46a801b-fd98-491c-a25a-bca25d6e3001) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
System Firmware - T1542.001 (16ab6452-c3c1-497c-a47d-206018ca1ada) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 2
Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2