>_AYSOLI SECURITY HUB
THREAT AREA

Privileged Admin Access

Admin accounts are the holy grail for attackers. Their security is a top priority, as a single compromised admin account can mean complete control over the organization.

Your Strategy

Avoid permanent admin rights ("standing privileges"). Use PIM for JIT access and ensure that administrative tasks are performed only from hardened devices (PAW).

Best Practices

  • Isolation: Use separate accounts for admin tasks (no email/browsing with admin rights).
  • Hardening: Use PowerShell Constrained Language Mode on all admin endpoints.
  • Identity: Enforce FIDO2 (Security Keys) for all Tier-0 administrators.

STRIDE-LM Design Risks

SpoofingS-ADM-01

Privileged Session Hijacking

Takeover of an active administrator session.

TamperingT-ADM-01

Admin Tool Misuse

Misuse of legitimate admin tools for malicious purposes.

RepudiationR-ADM-01

Audit Log Erasure

Targeted deletion of traces of administrative actions.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-ADM-01

Global Admin Lockout

Locking out all legitimate administrators.

Elevation of PrivilegeE-01

Privilege Escalation

Gaining privileges beyond what is intended.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-ADM-01

Stealthy Persistence

Unnoticed backdoors through admin privileges.

MITRE ATT&CK® Techniques

Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
MFA for Windows Sign-inExtended ProtectionMedium
CIS: 6.5NIST: PR.AC-7
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Execution
T1059-001

PowerShell

ATT&CK

Use of PowerShell to execute malicious commands on admin systems.

Mitigated by
PowerShell Constrained Language ModeExtended ProtectionMedium
CIS: 2.1NIST: PR.PT-1
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
T1484

Domain Policy Modification

ATT&CK

Modifying domain policies for privilege escalation.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Break-Glass AccountsBaseline ProtectionLow
CIS: 6.5NIST: PR.IP-4
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Privilege Escalation
T1548

Abuse Elevation Control Mechanism

ATT&CK

Bypassing mechanisms for privilege escalation (e.g., UAC).

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Defense Evasion
T1070

Indicator Removal

ATT&CK

Deliberate deletion of logs and evidence to conceal an attack.

Mitigated by
PowerShell Constrained Language ModeExtended ProtectionMedium
CIS: 2.1NIST: PR.PT-1
Incident Response Playbook (Admin Compromise)Baseline ProtectionMedium
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1
Credential Access
T1003

OS Credential Dumping

ATT&CK

Extracting credentials from the operating system.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
MFA for Windows Sign-inExtended ProtectionMedium
CIS: 6.5NIST: PR.AC-7
Incident Response Playbook (Admin Compromise)Baseline ProtectionMedium
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1
T1556

Modify Authentication Process

ATT&CK

Manipulation of the authentication workflow.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
MFA for Windows Sign-inExtended ProtectionMedium
CIS: 6.5NIST: PR.AC-7
Incident Response Playbook (Admin Compromise)Baseline ProtectionMedium
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1
T1558

Steal or Forge Kerberos Tickets

ATT&CK

Manipulation of Kerberos tickets to bypass authentication.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
Incident Response Playbook (Admin Compromise)Baseline ProtectionMedium
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1
T1557

Adversary-in-the-Middle

ATT&CK

Intercepting communication between two parties.

Mitigated by
Privileged Access Workstation (PAW)Extended ProtectionHigh
CIS: 6.4NIST: PR.AC-3
T1528

Steal Application Access Token

ATT&CK

Theft of tokens to bypass authentication.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Discovery
T1087

Account Discovery

ATT&CK

Enumeration of internal accounts and group structures after initial access.

Mitigated by
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
T1580

Shadow IT Asset Discovery

ATT&CK

Finding unmanaged resources in the network.

Mitigated by
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Lateral Movement
T1021

Remote Services

ATT&CK

Use of legitimate remote services for lateral movement within the network.

Mitigated by
Tiered Administration ModelExtended ProtectionHigh
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Exfiltration
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Impact
T1531

Account Access Removal

ATT&CK

Removing access for legitimate users.

Mitigated by
Break-Glass AccountsBaseline ProtectionLow
CIS: 6.5NIST: PR.IP-4
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
T1485

Data Destruction

ATT&CK

Irretrievable deletion of company data.

Mitigated by
Break-Glass AccountsBaseline ProtectionLow
CIS: 6.5NIST: PR.IP-4
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Incident Response Playbook (Admin Compromise)Baseline ProtectionMedium
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1NIST: RC.RP-1

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation