MITRE ATT&CK vulnerability spotlight: Account manipulation - Security Boulevard

MITRE ATT&CK vulnerability spotlight: Account manipulation

Introduction

MITRE functions as a U.S. government-funded research and development center (FFRDC). This role involves performing trusted third-party research, development and evaluation for the federal government. As part of MITRE’s mission, it performs research and development in the field of cybersecurity. 

The MITRE ATT&CK matrix is one of their efforts to help formalize cyberdefense. The matrix breaks the attack life cycle into its component stages and describes methods by which an attacker could perform each stage. The tool can be used for research and development, building a formal cyberdefense strategy and a variety of other purposes.

What is account manipulation?

One of the stages in the attack life cycle, as defined in the MITRE ATT&CK framework, is credential access. At this stage, a hacker attempts to acquire usernames and passwords to gain access to accounts or escalate privileges. One method of accomplishing this stage is account manipulation.

Account manipulation covers a variety of different actions and is typically performed to escalate privileges once an attacker already has access to an account on the target system. By modifying aspects of accounts on the system, the attacker may be able to gain access to additional accounts or increase the privileges of the account that they have already gained access to.

Account manipulation can be used to give a hacker access to a user account. This could either involve the creation of a new account (to add persistence or make the attack less noticeable) or gaining access to another user’s account. For example, the root user on a Linux system could use the passwd command to change the password of any other user on the system.

Account manipulation can also be used to elevate the level of access that an attacker has on a target system. If an attacker can modify (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/hRs7zgajc20/