We have a blog! Check out MITRE Shield on Medium.

Admin Access

Modify a user's administrative privileges.

Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems.

Details
ID: DTE0001
Tactics:  Facilitate Test Channel Disrupt Contain

Opportunities

IDDescription
DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
DOS0029 There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs.
DOS0147 In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives.

Use Cases

IDDescription
DUC0025 A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.
DUC0042 A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.
DUC0055 A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation.
DUC0137 A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI.
DUC0196 A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit.
DUC0232 A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.

Procedures

IDDescription
DPR0001 Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks.
DPR0002 Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1014 Rootkit Defense Evasion
T1047 Windows Management Instrumentation Execution
T1053 Scheduled Task/Job ExecutionPersistencePrivilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1070 Indicator Removal on Host Defense Evasion
T1546 Event Triggered Execution Privilege EscalationPersistence