AC-6: Least Privilege
From NIST's SP800-53:
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1525 | Implant Internal Image | Persistence |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1485 | Data Destruction | Impact |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1569.002 | Service Execution | Execution |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1559.001 | Component Object Model | Execution |
| T1546.011 | Application Shimming | Persistence, Privilege Escalation |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1137.005 | Outlook Rules | Persistence |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1110.001 | Password Guessing | Credential Access |
| T1491.002 | External Defacement | Impact |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1491.001 | Internal Defacement | Impact |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1003.003 | NTDS | Credential Access |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1021.004 | SSH | Lateral Movement |
| T1059.008 | Network Device CLI | Execution |
| T1112 | Modify Registry | Defense Evasion |
| T1087.004 | Cloud Account | Discovery |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1059 | Command and Scripting Interpreter | Execution |
| T1552.002 | Credentials in Registry | Credential Access |
| T1003.002 | Security Account Manager | Credential Access |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1025 | Data from Removable Media | Collection |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1059.006 | Python | Execution |
| T1137.001 | Office Template Macros | Persistence |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |