MITRE ATT&CK vulnerability spotlight: Account manipulation
Introduction
MITRE functions as a U.S. government-funded research and development center (FFRDC). This role involves performing trusted third-party research, development and evaluation for the federal government. As part of MITRE’s mission, it performs research and development in the field of cybersecurity.
The MITRE ATT&CK matrix is one of their efforts to help formalize cyberdefense. The matrix breaks the attack life cycle into its component stages and describes methods by which an attacker could perform each stage. The tool can be used for research and development, building a formal cyberdefense strategy and a variety of other purposes.
What is account manipulation?
One of the stages in the attack life cycle, as defined in the MITRE ATT&CK framework, is credential access. At this stage, a hacker attempts to acquire usernames and passwords to gain access to accounts or escalate privileges. One method of accomplishing this stage is account manipulation.
Account manipulation covers a variety of different actions and is typically performed to escalate privileges once an attacker already has access to an account on the target system. By modifying aspects of accounts on the system, the attacker may be able to gain access to additional accounts or increase the privileges of the account that they have already gained access to.
Account manipulation can be used to give a hacker access to a user account. This could either involve the creation of a new account (to add persistence or make the attack less noticeable) or gaining access to another user’s account. For example, the root user on a Linux system could use the passwd command to change the password of any other user on the system.
Account manipulation can also be used to elevate the level of access that an attacker has on a target system. If an attacker can modify permissions on the system, they can:
- Add or change permission groups
- Modify account settings
- Modify how authentication is performed
Once an attacker has access to an account, they may also perform account manipulation to extend that access without detection. For example, an organization may require password changes at regular intervals and keep a log of the past X passwords that it forbids reuse of. A hacker may perform X+1 password updates in sequence (ending on the original password) to ensure that the account owner is not prompted to change their password to something unknown to the attacker.
Examples of account manipulation
One of the limitations of taking advantage of a user account is that the user may notice. If a hacker drops malware or other files into a user’s home directory as a stepping stone for an attack, those files may be discovered. Creating a new account is also problematic, since the account creation may be detected and trigger an alert.
A more subtle approach is taking over an unused account. If an attacker has managed to gain administrator credentials on a target machine, they can force a password change on an unused account. They also have the ability to assign the account any permissions that are required to achieve their goals on the system. This provides them with a foothold on the system from which to perform additional attacks with a lower probability of detection than on the original compromised account.
Detection and mitigation
Detecting account manipulation
Account manipulation consists of modifying a user account to suit the purposes of an attacker. While account modification actions can be performed for legitimate reasons, correlating update actions with other information can help with identification of potentially suspicious or malicious activity.
On Windows, the event ID for changing a user account is 4738. Monitoring for this event ID can help an analyst determine when activities related to account manipulation are being performed. Once an event is detected, it can be correlated with other information to determine if it warrants further investigation, such as:
- Time of modification: Did it occur shortly after another anomalous event or outside of business hours?
- Modifying other accounts: Is the user changing a different account’s password or other information?
- Forced password changes: Did an administrative user change a user password without knowledge of the old password?
Account manipulation can also be detected based on its effects. An attacker may perform account manipulation to elevate or expand account privileges, so any account with excessive permissions may be suspicious. Alternatively, a hacker may change the password of a dormant account to maintain persistence, so the sudden reactivation of an account can be suspicious.
Mitigating
Account manipulation attacks require the attacker to already have access to a system and the level of permissions necessary to manipulate accounts. Mitigating this attack vector requires denying the attacker one of both of these.
An attacker can gain initial access to a machine in a variety of different ways. Two of the most common are compromising poor user credentials or protocols/services that have unpatched vulnerabilities. Implementing multi-factor authentication and disabling unnecessary services on critical systems can help to dramatically decrease the attack surface of these systems.
Account manipulation can also be used to move laterally through a network via shared credentials. An organization should not have accounts with administrator permissions on multiple systems and should implement network segmentation to isolate critical systems and domain controllers. This limits an attacker’s ability to access these systems and high-value accounts.
Finally, it is important to limit an attacker’s access to administrator accounts by implementing least privilege. Administrator accounts should not be used for daily tasks. All users should operate in a limited user account for most business and only elevate to an administrator account for actions that require it.
Conclusion: Protecting against account manipulation
Account manipulation attacks take advantage of an attacker’s access to accounts on machines with the power to manipulate account permissions and access requirements. Protecting against this attack vector requires limiting an attacker’s access to accounts with this level of permissions and monitoring for events that may indicate account manipulation. Locking down administrator accounts by implementing least privilege and multi-factor authentication can do a great deal to minimize the threat of this attack.
Sources
- Account Manipulation, MITRE
- 4738(S): A user account was changed., Microsoft Docs
- 6.3. Changing User Passwords, tldp.org