AC-6: Least Privilege
From NIST's SP800-53:
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1525 | Implant Internal Image | Persistence |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1485 | Data Destruction | Impact |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1569.002 | Service Execution | Execution |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1559.001 | Component Object Model | Execution |
| T1546.011 | Application Shimming | Persistence, Privilege Escalation |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1137.005 | Outlook Rules | Persistence |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1110.001 | Password Guessing | Credential Access |
| T1491.002 | External Defacement | Impact |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1491.001 | Internal Defacement | Impact |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1003.003 | NTDS | Credential Access |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1021.004 | SSH | Lateral Movement |
| T1059.008 | Network Device CLI | Execution |
| T1112 | Modify Registry | Defense Evasion |
| T1087.004 | Cloud Account | Discovery |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1059 | Command and Scripting Interpreter | Execution |
| T1552.002 | Credentials in Registry | Credential Access |
| T1003.002 | Security Account Manager | Credential Access |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1025 | Data from Removable Media | Collection |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1059.006 | Python | Execution |
| T1137.001 | Office Template Macros | Persistence |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1558.002 | Silver Ticket | Credential Access |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1110.002 | Password Cracking | Credential Access |
| T1606 | Forge Web Credentials | Credential Access |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1136.001 | Local Account | Persistence |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1505.003 | Web Shell | Persistence |
| T1056.003 | Web Portal Capture | Collection, Credential Access |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1546.016 | Installer Packages | Persistence, Privilege Escalation |
| T1059.007 | JavaScript | Execution |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1055.005 | Thread Local Storage | Defense Evasion, Privilege Escalation |
| T1558.001 | Golden Ticket | Credential Access |
| T1552 | Unsecured Credentials | Credential Access |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
| T1606.002 | SAML Tokens | Credential Access |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1199 | Trusted Relationship | Initial Access |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1136.003 | Cloud Account | Persistence |
| T1055.013 | Process Doppelgänging | Defense Evasion, Privilege Escalation |
| T1489 | Service Stop | Impact |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1601.001 | Patch System Image | Defense Evasion |
| T1137.006 | Add-ins | Persistence |
| T1491 | Defacement | Impact |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1569 | System Services | Execution |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1137.004 | Outlook Home Page | Persistence |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1059.003 | Windows Command Shell | Execution |
| T1059.002 | AppleScript | Execution |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1486 | Data Encrypted for Impact | Impact |
| T1559 | Inter-Process Communication | Execution |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1106 | Native API | Execution |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1538 | Cloud Service Dashboard | Discovery |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1556.005 | Reversible Encryption | Credential Access, Defense Evasion, Persistence |
| T1606.001 | Web Cookies | Credential Access |
| T1505.004 | IIS Components | Persistence |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1021.005 | VNC | Lateral Movement |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1047 | Windows Management Instrumentation | Execution |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1036 | Masquerading | Defense Evasion |
| T1136 | Create Account | Persistence |
| T1059.005 | Visual Basic | Execution |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1218.007 | Msiexec | Defense Evasion |
| T1505 | Server Software Component | Persistence |
| T1185 | Browser Session Hijacking | Collection |
| T1059.004 | Unix Shell | Execution |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
| T1003.006 | DCSync | Credential Access |
| T1561.001 | Disk Content Wipe | Impact |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1200 | Hardware Additions | Initial Access |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1213.001 | Confluence | Collection |
| T1110.004 | Credential Stuffing | Credential Access |
| T1561 | Disk Wipe | Impact |
| T1189 | Drive-by Compromise | Initial Access |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1070.003 | Clear Command History | Defense Evasion |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1213.003 | Code Repositories | Collection |
| T1059.001 | PowerShell | Execution |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1137.002 | Office Test | Persistence |
| T1552.007 | Container API | Credential Access |
| T1609 | Container Administration Command | Execution |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1005 | Data from Local System | Collection |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1505.002 | Transport Agent | Persistence |
| T1110.003 | Password Spraying | Credential Access |
| T1052.001 | Exfiltration over USB | Exfiltration |
| T1601 | Modify System Image | Defense Evasion |
| T1558.003 | Kerberoasting | Credential Access |
| T1613 | Container and Resource Discovery | Discovery |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1176 | Browser Extensions | Persistence |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1003.004 | LSA Secrets | Credential Access |
| T1003.007 | Proc Filesystem | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1136.002 | Domain Account | Persistence |
| T1528 | Steal Application Access Token | Credential Access |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1070 | Indicator Removal | Defense Evasion |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1203 | Exploitation for Client Execution | Execution |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1137 | Office Application Startup | Persistence |
| T1569.001 | Launchctl | Execution |
| T1021 | Remote Services | Lateral Movement |
| T1562 | Impair Defenses | Defense Evasion |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1495 | Firmware Corruption | Impact |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1561.002 | Disk Structure Wipe | Impact |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation |
| T1530 | Data from Cloud Storage | Collection |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1137.003 | Outlook Forms | Persistence |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1611 | Escape to Host | Privilege Escalation |
| T1552.001 | Credentials In Files | Credential Access |
| T1110 | Brute Force | Credential Access |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1562.008 | Disable or Modify Cloud Logs | Defense Evasion |
| T1213 | Data from Information Repositories | Collection |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1612 | Build Image on Host | Defense Evasion |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1574.011 | Services Registry Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1648 | Serverless Execution | Execution |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1055.011 | Extra Window Memory Injection | Defense Evasion, Privilege Escalation |
| T1647 | Plist File Modification | Defense Evasion |
| T1505.005 | Terminal Services DLL | Persistence |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1490 | Inhibit System Recovery | Impact |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |