IA-2: Identification and Authentication (organizational Users)
From NIST's SP800-53:
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
| PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
| PR.AC-1 | Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1087.004 | Cloud Account | Discovery |
| T1218.007 | Msiexec | Defense Evasion |
| T1489 | Service Stop | Impact |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1136 | Create Account | Persistence |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1555.005 | Password Managers | Credential Access |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1021.005 | VNC | Lateral Movement |
| T1552.002 | Credentials in Registry | Credential Access |
| T1036.007 | Double File Extension | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1003.003 | NTDS | Credential Access |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1110.002 | Password Cracking | Credential Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1003.007 | Proc Filesystem | Credential Access |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1538 | Cloud Service Dashboard | Discovery |
| T1110.003 | Password Spraying | Credential Access |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1185 | Browser Session Hijacking | Collection |
| T1136.003 | Cloud Account | Persistence |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1613 | Container and Resource Discovery | Discovery |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1530 | Data from Cloud Storage | Collection |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1552.007 | Container API | Credential Access |
| T1213.001 | Confluence | Collection |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation |
| T1495 | Firmware Corruption | Impact |
| T1003.004 | LSA Secrets | Credential Access |
| T1213 | Data from Information Repositories | Collection |
| T1569 | System Services | Execution |
| T1213.003 | Code Repositories | Collection |
| T1611 | Escape to Host | Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1601.001 | Patch System Image | Defense Evasion |
| T1569.001 | Launchctl | Execution |
| T1059 | Command and Scripting Interpreter | Execution |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1114.002 | Remote Email Collection | Collection |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1585.003 | Cloud Accounts | Resource Development |
| T1525 | Implant Internal Image | Persistence |
| T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1003.006 | DCSync | Credential Access |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1559.001 | Component Object Model | Execution |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1562.008 | Disable or Modify Cloud Logs | Defense Evasion |
| T1059.008 | Network Device CLI | Execution |
| T1003.002 | Security Account Manager | Credential Access |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1021 | Remote Services | Lateral Movement |
| T1558.003 | Kerberoasting | Credential Access |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1003 | OS Credential Dumping | Credential Access |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1552 | Unsecured Credentials | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1601 | Modify System Image | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1569.002 | Service Execution | Execution |
| T1648 | Serverless Execution | Execution |
| T1552.004 | Private Keys | Credential Access |
| T1586.003 | Cloud Accounts | Resource Development |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1136.002 | Domain Account | Persistence |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1110.004 | Credential Stuffing | Credential Access |
| T1110.001 | Password Guessing | Credential Access |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1505.002 | Transport Agent | Persistence |
| T1552.001 | Credentials In Files | Credential Access |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1114 | Email Collection | Collection |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation |
| T1558.001 | Golden Ticket | Credential Access |
| T1056.003 | Web Portal Capture | Collection, Credential Access |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1558.002 | Silver Ticket | Credential Access |
| T1021.004 | SSH | Lateral Movement |
| T1110 | Brute Force | Credential Access |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1562 | Impair Defenses | Defense Evasion |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |
| T1505 | Server Software Component | Persistence |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1136.001 | Local Account | Persistence |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1505.004 | IIS Components | Persistence |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1059.001 | PowerShell | Execution |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1559 | Inter-Process Communication | Execution |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |