AC-5: Separation of Duties
From NIST's SP800-53:
a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1021 | Remote Services | Lateral Movement |
| T1136 | Create Account | Persistence |
| T1110.002 | Password Cracking | Credential Access |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1003.007 | Proc Filesystem | Credential Access |
| T1552.007 | Container API | Credential Access |
| T1558.001 | Golden Ticket | Credential Access |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1562 | Impair Defenses | Defense Evasion |
| T1559.001 | Component Object Model | Execution |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1136.003 | Cloud Account | Persistence |
| T1505.002 | Transport Agent | Persistence |
| T1059.008 | Network Device CLI | Execution |
| T1136.002 | Domain Account | Persistence |
| T1003.002 | Security Account Manager | Credential Access |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1110.004 | Credential Stuffing | Credential Access |
| T1003.004 | LSA Secrets | Credential Access |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1569.001 | Launchctl | Execution |
| T1489 | Service Stop | Impact |
| T1601 | Modify System Image | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1087.004 | Cloud Account | Discovery |
| T1213.002 | Sharepoint | Collection |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1110.003 | Password Spraying | Credential Access |
| T1056.003 | Web Portal Capture | Collection, Credential Access |
| T1003.006 | DCSync | Credential Access |
| T1505 | Server Software Component | Persistence |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1538 | Cloud Service Dashboard | Discovery |
| T1110 | Brute Force | Credential Access |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1552.002 | Credentials in Registry | Credential Access |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1136.001 | Local Account | Persistence |
| T1021.004 | SSH | Lateral Movement |
| T1562.008 | Disable or Modify Cloud Logs | Defense Evasion |
| T1213.001 | Confluence | Collection |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1601.001 | Patch System Image | Defense Evasion |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1003.003 | NTDS | Credential Access |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1609 | Container Administration Command | Execution |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1185 | Browser Session Hijacking | Collection |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1556.005 | Reversible Encryption | Credential Access, Defense Evasion, Persistence |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1495 | Firmware Corruption | Impact |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1528 | Steal Application Access Token | Credential Access |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1552.001 | Credentials In Files | Credential Access |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1611 | Escape to Host | Privilege Escalation |
| T1558.002 | Silver Ticket | Credential Access |
| T1505.003 | Web Shell | Persistence |
| T1003.001 | LSASS Memory | Credential Access |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1525 | Implant Internal Image | Persistence |
| T1559 | Inter-Process Communication | Execution |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1569.002 | Service Execution | Execution |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1530 | Data from Cloud Storage | Collection |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1070 | Indicator Removal | Defense Evasion |
| T1213 | Data from Information Repositories | Collection |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1505.005 | Terminal Services DLL | Persistence |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1070.003 | Clear Command History | Defense Evasion |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation |
| T1110.001 | Password Guessing | Credential Access |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1558.003 | Kerberoasting | Credential Access |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1213.003 | Code Repositories | Collection |
| T1569 | System Services | Execution |
| T1003 | OS Credential Dumping | Credential Access |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |
| T1059 | Command and Scripting Interpreter | Execution |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1218.007 | Msiexec | Defense Evasion |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1606 | Forge Web Credentials | Credential Access |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |