AC-3: Access Enforcement
From NIST's SP800-53:
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
| PR.AC-4 | Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
| PR.PT-3 | The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1558.001 | Golden Ticket | Credential Access |
| T1110.001 | Password Guessing | Credential Access |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1185 | Browser Session Hijacking | Collection |
| T1005 | Data from Local System | Collection |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1087.004 | Cloud Account | Discovery |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1114.002 | Remote Email Collection | Collection |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1647 | Plist File Modification | Defense Evasion |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1606.001 | Web Cookies | Credential Access |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1059.006 | Python | Execution |
| T1491.001 | Internal Defacement | Impact |
| T1136.003 | Cloud Account | Persistence |
| T1056.003 | Web Portal Capture | Collection, Credential Access |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1569.002 | Service Execution | Execution |
| T1491.002 | External Defacement | Impact |
| T1489 | Service Stop | Impact |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1218.002 | Control Panel | Defense Evasion |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1037.002 | Login Hook | Persistence, Privilege Escalation |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1037.004 | RC Scripts | Persistence, Privilege Escalation |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1561.001 | Disk Content Wipe | Impact |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1559 | Inter-Process Communication | Execution |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1569.001 | Launchctl | Execution |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1602 | Data from Configuration Repository | Collection |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1025 | Data from Removable Media | Collection |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1003.004 | LSA Secrets | Credential Access |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1037.003 | Network Logon Script | Persistence, Privilege Escalation |
| T1498.001 | Direct Network Flood | Impact |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1213.001 | Confluence | Collection |
| T1606.002 | SAML Tokens | Credential Access |
| T1538 | Cloud Service Dashboard | Discovery |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1003.003 | NTDS | Credential Access |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1561.002 | Disk Structure Wipe | Impact |
| T1552.002 | Credentials in Registry | Credential Access |
| T1505.005 | Terminal Services DLL | Persistence |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1611 | Escape to Host | Privilege Escalation |
| T1485 | Data Destruction | Impact |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1059.008 | Network Device CLI | Execution |
| T1218.007 | Msiexec | Defense Evasion |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1070.003 | Clear Command History | Defense Evasion |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1114 | Email Collection | Collection |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |
| T1110.004 | Credential Stuffing | Credential Access |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1059.003 | Windows Command Shell | Execution |
| T1490 | Inhibit System Recovery | Impact |
| T1136.001 | Local Account | Persistence |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1606 | Forge Web Credentials | Credential Access |
| T1505.003 | Web Shell | Persistence |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1003.007 | Proc Filesystem | Credential Access |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1071.004 | DNS | Command and Control |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1552.007 | Container API | Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1648 | Serverless Execution | Execution |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1036 | Masquerading | Defense Evasion |
| T1021 | Remote Services | Lateral Movement |
| T1003.001 | LSASS Memory | Credential Access |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1200 | Hardware Additions | Initial Access |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1530 | Data from Cloud Storage | Collection |
| T1505 | Server Software Component | Persistence |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1495 | Firmware Corruption | Impact |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1499.002 | Service Exhaustion Flood | Impact |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1552 | Unsecured Credentials | Credential Access |
| T1499.004 | Application or System Exploitation | Impact |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1187 | Forced Authentication | Credential Access |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1090 | Proxy | Command and Control |
| T1562 | Impair Defenses | Defense Evasion |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1505.002 | Transport Agent | Persistence |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1612 | Build Image on Host | Defense Evasion |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1572 | Protocol Tunneling | Command and Control |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1199 | Trusted Relationship | Initial Access |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1003 | OS Credential Dumping | Credential Access |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1558.002 | Silver Ticket | Credential Access |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1561 | Disk Wipe | Impact |
| T1498 | Network Denial of Service | Impact |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1219 | Remote Access Software | Command and Control |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1498.002 | Reflection Amplification | Impact |
| T1613 | Container and Resource Discovery | Discovery |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1565 | Data Manipulation | Impact |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1136.002 | Domain Account | Persistence |
| T1218.012 | Verclsid | Defense Evasion |
| T1110 | Brute Force | Credential Access |
| T1021.005 | VNC | Lateral Movement |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1565.001 | Stored Data Manipulation | Impact |
| T1003.002 | Security Account Manager | Credential Access |
| T1562.008 | Disable or Modify Cloud Logs | Defense Evasion |
| T1052.001 | Exfiltration over USB | Exfiltration |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1558.003 | Kerberoasting | Credential Access |
| T1110.003 | Password Spraying | Credential Access |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1059.005 | Visual Basic | Execution |
| T1213 | Data from Information Repositories | Collection |
| T1525 | Implant Internal Image | Persistence |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1059 | Command and Scripting Interpreter | Execution |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1059.007 | JavaScript | Execution |
| T1569 | System Services | Execution |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1021.004 | SSH | Lateral Movement |
| T1213.003 | Code Repositories | Collection |
| T1499 | Endpoint Denial of Service | Impact |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1070 | Indicator Removal | Defense Evasion |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1491 | Defacement | Impact |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1110.002 | Password Cracking | Credential Access |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1136 | Create Account | Persistence |
| T1505.004 | IIS Components | Persistence |
| T1003.006 | DCSync | Credential Access |
| T1486 | Data Encrypted for Impact | Impact |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1059.004 | Unix Shell | Execution |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1601.001 | Patch System Image | Defense Evasion |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1213.002 | Sharepoint | Collection |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1559.001 | Component Object Model | Execution |
| T1059.002 | AppleScript | Execution |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1609 | Container Administration Command | Execution |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |