NIST 800-53 AC-2 Mappings

Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.

Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.

Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1003 OS Credential Dumping
AC-2 Account Management Protects T1003.001 LSASS Memory
AC-2 Account Management Protects T1003.002 Security Account Manager
AC-2 Account Management Protects T1003.003 NTDS
AC-2 Account Management Protects T1003.004 LSA Secrets
AC-2 Account Management Protects T1003.005 Cached Domain Credentials
AC-2 Account Management Protects T1003.006 DCSync
AC-2 Account Management Protects T1003.007 Proc Filesystem
AC-2 Account Management Protects T1003.008 /etc/passwd and /etc/shadow
AC-2 Account Management Protects T1005 Data from Local System
AC-2 Account Management Protects T1021 Remote Services
AC-2 Account Management Protects T1021.001 Remote Desktop Protocol
AC-2 Account Management Protects T1021.002 SMB/Windows Admin Shares
AC-2 Account Management Protects T1021.003 Distributed Component Object Model
AC-2 Account Management Protects T1021.004 SSH
AC-2 Account Management Protects T1021.005 VNC
AC-2 Account Management Protects T1021.006 Windows Remote Management
AC-2 Account Management Protects T1025 Data from Removable Media
AC-2 Account Management Protects T1036 Masquerading
AC-2 Account Management Protects T1036.003 Rename System Utilities
AC-2 Account Management Protects T1036.005 Match Legitimate Name or Location
AC-2 Account Management Protects T1041 Exfiltration Over C2 Channel
AC-2 Account Management Protects T1047 Windows Management Instrumentation
AC-2 Account Management Protects T1048 Exfiltration Over Alternative Protocol
AC-2 Account Management Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
AC-2 Account Management Protects T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
AC-2 Account Management Protects T1052 Exfiltration Over Physical Medium
AC-2 Account Management Protects T1052.001 Exfiltration over USB
AC-2 Account Management Protects T1053 Scheduled Task/Job
AC-2 Account Management Protects T1053.001 At (Linux)
AC-2 Account Management Protects T1053.002 At (Windows)
AC-2 Account Management Protects T1053.003 Cron
AC-2 Account Management Protects T1053.005 Scheduled Task
AC-2 Account Management Protects T1053.006 Systemd Timers
AC-2 Account Management Protects T1053.007 Container Orchestration Job
AC-2 Account Management Protects T1055 Process Injection
AC-2 Account Management Protects T1055.008 Ptrace System Calls
AC-2 Account Management Protects T1056.003 Web Portal Capture
AC-2 Account Management Protects T1059 Command and Scripting Interpreter
AC-2 Account Management Protects T1059.001 PowerShell
AC-2 Account Management Protects T1059.002 AppleScript
AC-2 Account Management Protects T1059.003 Windows Command Shell
AC-2 Account Management Protects T1059.004 Unix Shell
AC-2 Account Management Protects T1059.005 Visual Basic
AC-2 Account Management Protects T1059.006 Python
AC-2 Account Management Protects T1059.007 JavaScript
AC-2 Account Management Protects T1059.008 Network Device CLI
AC-2 Account Management Protects T1068 Exploitation for Privilege Escalation
AC-2 Account Management Protects T1070 Indicator Removal on Host
AC-2 Account Management Protects T1070.001 Clear Windows Event Logs
AC-2 Account Management Protects T1070.002 Clear Linux or Mac System Logs
AC-2 Account Management Protects T1070.003 Clear Command History
AC-2 Account Management Protects T1072 Software Deployment Tools
AC-2 Account Management Protects T1078 Valid Accounts
AC-2 Account Management Protects T1078.001 Default Accounts
AC-2 Account Management Protects T1078.002 Domain Accounts
AC-2 Account Management Protects T1078.003 Local Accounts
AC-2 Account Management Protects T1078.004 Cloud Accounts
AC-2 Account Management Protects T1087.004 Cloud Account
AC-2 Account Management Protects T1098 Account Manipulation
AC-2 Account Management Protects T1098.001 Additional Cloud Credentials
AC-2 Account Management Protects T1098.002 Exchange Email Delegate Permissions
AC-2 Account Management Protects T1098.003 Add Office 365 Global Administrator Role
AC-2 Account Management Protects T1110 Brute Force
AC-2 Account Management Protects T1110.001 Password Guessing
AC-2 Account Management Protects T1110.002 Password Cracking
AC-2 Account Management Protects T1110.003 Password Spraying
AC-2 Account Management Protects T1110.004 Credential Stuffing
AC-2 Account Management Protects T1134 Access Token Manipulation
AC-2 Account Management Protects T1134.001 Token Impersonation/Theft
AC-2 Account Management Protects T1134.002 Create Process with Token
AC-2 Account Management Protects T1134.003 Make and Impersonate Token
AC-2 Account Management Protects T1136 Create Account
AC-2 Account Management Protects T1136.001 Local Account
AC-2 Account Management Protects T1136.002 Domain Account
AC-2 Account Management Protects T1136.003 Cloud Account
AC-2 Account Management Protects T1185 Browser Session Hijacking
AC-2 Account Management Protects T1190 Exploit Public-Facing Application
AC-2 Account Management Protects T1197 BITS Jobs
AC-2 Account Management Protects T1210 Exploitation of Remote Services
AC-2 Account Management Protects T1212 Exploitation for Credential Access
AC-2 Account Management Protects T1213 Data from Information Repositories
AC-2 Account Management Protects T1213.001 Confluence
AC-2 Account Management Protects T1213.002 Sharepoint
AC-2 Account Management Protects T1213.003 Code Repositories
AC-2 Account Management Protects T1218 Signed Binary Proxy Execution
AC-2 Account Management Protects T1218.007 Msiexec
AC-2 Account Management Protects T1222 File and Directory Permissions Modification
AC-2 Account Management Protects T1222.001 Windows File and Directory Permissions Modification
AC-2 Account Management Protects T1222.002 Linux and Mac File and Directory Permissions Modification
AC-2 Account Management Protects T1484 Domain Policy Modification
AC-2 Account Management Protects T1489 Service Stop
AC-2 Account Management Protects T1495 Firmware Corruption
AC-2 Account Management Protects T1505 Server Software Component
AC-2 Account Management Protects T1505.002 Transport Agent
AC-2 Account Management Protects T1505.003 Web Shell
AC-2 Account Management Protects T1525 Implant Internal Image
AC-2 Account Management Protects T1528 Steal Application Access Token
AC-2 Account Management Protects T1530 Data from Cloud Storage Object
AC-2 Account Management Protects T1537 Transfer Data to Cloud Account
AC-2 Account Management Protects T1538 Cloud Service Dashboard
AC-2 Account Management Protects T1542 Pre-OS Boot
AC-2 Account Management Protects T1542.001 System Firmware
AC-2 Account Management Protects T1542.003 Bootkit
AC-2 Account Management Protects T1542.005 TFTP Boot
AC-2 Account Management Protects T1543 Create or Modify System Process
AC-2 Account Management Protects T1543.001 Launch Agent
AC-2 Account Management Protects T1543.002 Systemd Service
AC-2 Account Management Protects T1543.003 Windows Service
AC-2 Account Management Protects T1543.004 Launch Daemon
AC-2 Account Management Protects T1546.003 Windows Management Instrumentation Event Subscription
AC-2 Account Management Protects T1547.004 Winlogon Helper DLL
AC-2 Account Management Protects T1547.006 Kernel Modules and Extensions
AC-2 Account Management Protects T1547.009 Shortcut Modification
AC-2 Account Management Protects T1547.012 Print Processors
AC-2 Account Management Protects T1547.013 XDG Autostart Entries
AC-2 Account Management Protects T1548 Abuse Elevation Control Mechanism
AC-2 Account Management Protects T1548.002 Bypass User Account Control
AC-2 Account Management Protects T1548.003 Sudo and Sudo Caching
AC-2 Account Management Protects T1550 Use Alternate Authentication Material
AC-2 Account Management Protects T1550.002 Pass the Hash
AC-2 Account Management Protects T1550.003 Pass the Ticket
AC-2 Account Management Protects T1552 Unsecured Credentials
AC-2 Account Management Protects T1552.001 Credentials In Files
AC-2 Account Management Protects T1552.002 Credentials in Registry
AC-2 Account Management Protects T1552.004 Private Keys
AC-2 Account Management Protects T1552.006 Group Policy Preferences
AC-2 Account Management Protects T1552.007 Container API
AC-2 Account Management Protects T1556 Modify Authentication Process
AC-2 Account Management Protects T1556.001 Domain Controller Authentication
AC-2 Account Management Protects T1556.003 Pluggable Authentication Modules
AC-2 Account Management Protects T1556.004 Network Device Authentication
AC-2 Account Management Protects T1558 Steal or Forge Kerberos Tickets
AC-2 Account Management Protects T1558.001 Golden Ticket
AC-2 Account Management Protects T1558.002 Silver Ticket
AC-2 Account Management Protects T1558.003 Kerberoasting
AC-2 Account Management Protects T1558.004 AS-REP Roasting
AC-2 Account Management Protects T1559 Inter-Process Communication
AC-2 Account Management Protects T1559.001 Component Object Model
AC-2 Account Management Protects T1562 Impair Defenses
AC-2 Account Management Protects T1562.001 Disable or Modify Tools
AC-2 Account Management Protects T1562.002 Disable Windows Event Logging
AC-2 Account Management Protects T1562.004 Disable or Modify System Firewall
AC-2 Account Management Protects T1562.006 Indicator Blocking
AC-2 Account Management Protects T1562.007 Disable or Modify Cloud Firewall
AC-2 Account Management Protects T1562.008 Disable Cloud Logs
AC-2 Account Management Protects T1562.009 Safe Mode Boot
AC-2 Account Management Protects T1563 Remote Service Session Hijacking
AC-2 Account Management Protects T1563.001 SSH Hijacking
AC-2 Account Management Protects T1563.002 RDP Hijacking
AC-2 Account Management Protects T1567 Exfiltration Over Web Service
AC-2 Account Management Protects T1569 System Services
AC-2 Account Management Protects T1569.001 Launchctl
AC-2 Account Management Protects T1569.002 Service Execution
AC-2 Account Management Protects T1574 Hijack Execution Flow
AC-2 Account Management Protects T1574.004 Dylib Hijacking
AC-2 Account Management Protects T1574.005 Executable Installer File Permissions Weakness
AC-2 Account Management Protects T1574.007 Path Interception by PATH Environment Variable
AC-2 Account Management Protects T1574.008 Path Interception by Search Order Hijacking
AC-2 Account Management Protects T1574.009 Path Interception by Unquoted Path
AC-2 Account Management Protects T1574.010 Services File Permissions Weakness
AC-2 Account Management Protects T1574.012 COR_PROFILER
AC-2 Account Management Protects T1578 Modify Cloud Compute Infrastructure
AC-2 Account Management Protects T1578.001 Create Snapshot
AC-2 Account Management Protects T1578.002 Create Cloud Instance
AC-2 Account Management Protects T1578.003 Delete Cloud Instance
AC-2 Account Management Protects T1580 Cloud Infrastructure Discovery
AC-2 Account Management Protects T1599 Network Boundary Bridging
AC-2 Account Management Protects T1599.001 Network Address Translation Traversal
AC-2 Account Management Protects T1601 Modify System Image
AC-2 Account Management Protects T1601.001 Patch System Image
AC-2 Account Management Protects T1601.002 Downgrade System Image
AC-2 Account Management Protects T1606 Forge Web Credentials
AC-2 Account Management Protects T1606.001 Web Cookies
AC-2 Account Management Protects T1606.002 SAML Tokens
AC-2 Account Management Protects T1609 Container Administration Command
AC-2 Account Management Protects T1610 Deploy Container
AC-2 Account Management Protects T1611 Escape to Host
AC-2 Account Management Protects T1612 Build Image on Host
AC-2 Account Management Protects T1613 Container and Resource Discovery
AC-2 Account Management Protects T1619 Cloud Storage Object Discovery