Modify a user's administrative privileges.
Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks. The procedures for changing these permissions vary across different operating and software systems.
|There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
|There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs.
|In an adversary engagement scenario, there is an opportunity to allow or restrict admin access to support your defensive objectives.
|A defender can enable Admin Access on a system to see if the adversary utilizes that access to create scheduled tasks to launch their malware or tools.
|A defender can allow Admin access on a decoy system or network to allow an adversary to use event triggered execution.
|A defender can configure system users to not have admin access in order to ensure privilege escalation requires exploitation.
|A defender can remove admin access from the local user to prevent an adversary from being able to utilize WMI.
|A defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit.
|A defender can restrict admin access to force an adversary to escalate privileges in order to delete logs and captured artifacts from a system.
|Remove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks.
|Grant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service.
|Windows Management Instrumentation
|Execution, Persistence, Privilege Escalation
|Exploitation for Privilege Escalation
|Indicator Removal on Host
|Event Triggered Execution
|Privilege Escalation, Persistence