Description
The organization: (i) approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and (ii) generates, retains, and reviews records reflecting all such changes.
Supplemental Guidance
Planned or unplanned changes to the hardware, software, and/or firmware components of the information system can have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals obtain access to information system components for purposes of initiating changes, including upgrades, and modifications.
Enhancements
(1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.
MITRE ATT&CK Techniques (162)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Initial Access 8 Execution 18 Persistence 59 Privilege Escalation 50 Defense Evasion 66 Credential Access 25 Discovery 1 Lateral Movement 16 Collection 7 Exfiltration 2 Impact 2
Show all 162 techniques grouped by tactic
Initial Access
Execution
T1047 Windows Management Instrumentation T1053 Scheduled Task/Job T1059 Command and Scripting Interpreter T1072 Software Deployment Tools T1559 Inter-Process Communication T1569 System Services T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1053.007 Container Orchestration Job T1059.001 PowerShell T1059.006 Python T1059.008 Network Device CLI T1559.001 Component Object Model T1559.003 XPC Services T1569.001 Launchctl T1569.002 Service Execution
Persistence
T1053 Scheduled Task/Job T1078 Valid Accounts T1098 Account Manipulation T1136 Create Account T1176 Browser Extensions T1197 BITS Jobs T1505 Server Software Component T1525 Implant Internal Image T1542 Pre-OS Boot T1543 Create or Modify System Process T1554 Compromise Host Software Binary T1556 Modify Authentication Process T1574 Hijack Execution Flow T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1053.007 Container Orchestration Job T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1098.001 Additional Cloud Credentials T1098.002 Additional Email Delegate Permissions T1098.003 Additional Cloud Roles T1098.004 SSH Authorized Keys T1098.005 Device Registration T1098.007 Additional Local or Domain Groups T1136.001 Local Account T1136.002 Domain Account T1136.003 Cloud Account T1137.002 Office Test T1505.002 Transport Agent T1542.001 System Firmware T1542.003 Bootkit T1542.004 ROMMONkit T1542.005 TFTP Boot T1543.001 Launch Agent T1543.002 Systemd Service T1543.003 Windows Service T1543.004 Launch Daemon T1546.003 Windows Management Instrumentation Event Subscription T1546.016 Installer Packages T1547.003 Time Providers T1547.004 Winlogon Helper DLL T1547.006 Kernel Modules and Extensions T1547.007 Re-opened Applications T1547.009 Shortcut Modification T1547.012 Print Processors T1547.013 XDG Autostart Entries T1556.001 Domain Controller Authentication T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.008 Network Provider DLL T1556.009 Conditional Access Policies T1574.005 Executable Installer File Permissions Weakness T1574.010 Services File Permissions Weakness T1574.011 Services Registry Permissions Weakness T1574.012 COR_PROFILER T1574.014 AppDomainManager
Privilege Escalation
T1053 Scheduled Task/Job T1055 Process Injection T1078 Valid Accounts T1098 Account Manipulation T1134 Access Token Manipulation T1484 Domain or Tenant Policy Modification T1543 Create or Modify System Process T1548 Abuse Elevation Control Mechanism T1574 Hijack Execution Flow T1611 Escape to Host T1053.002 At T1053.003 Cron T1053.005 Scheduled Task T1053.006 Systemd Timers T1053.007 Container Orchestration Job T1055.008 Ptrace System Calls T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1098.001 Additional Cloud Credentials T1098.002 Additional Email Delegate Permissions T1098.003 Additional Cloud Roles T1098.004 SSH Authorized Keys T1098.005 Device Registration T1098.007 Additional Local or Domain Groups T1134.001 Token Impersonation/Theft T1134.002 Create Process with Token T1134.003 Make and Impersonate Token T1543.001 Launch Agent T1543.002 Systemd Service T1543.003 Windows Service T1543.004 Launch Daemon T1546.003 Windows Management Instrumentation Event Subscription T1546.016 Installer Packages T1547.003 Time Providers T1547.004 Winlogon Helper DLL T1547.006 Kernel Modules and Extensions T1547.007 Re-opened Applications T1547.009 Shortcut Modification T1547.012 Print Processors T1547.013 XDG Autostart Entries T1548.002 Bypass User Account Control T1548.003 Sudo and Sudo Caching T1548.005 Temporary Elevated Cloud Access T1548.006 TCC Manipulation T1574.005 Executable Installer File Permissions Weakness T1574.010 Services File Permissions Weakness T1574.011 Services Registry Permissions Weakness T1574.012 COR_PROFILER T1574.014 AppDomainManager
Defense Evasion
T1055 Process Injection T1078 Valid Accounts T1134 Access Token Manipulation T1197 BITS Jobs T1218 System Binary Proxy Execution T1222 File and Directory Permissions Modification T1484 Domain or Tenant Policy Modification T1542 Pre-OS Boot T1548 Abuse Elevation Control Mechanism T1550 Use Alternate Authentication Material T1553 Subvert Trust Controls T1556 Modify Authentication Process T1562 Impair Defenses T1574 Hijack Execution Flow T1578 Modify Cloud Compute Infrastructure T1599 Network Boundary Bridging T1601 Modify System Image T1647 Plist File Modification T1055.008 Ptrace System Calls T1078.002 Domain Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1134.001 Token Impersonation/Theft T1134.002 Create Process with Token T1134.003 Make and Impersonate Token T1218.007 Msiexec T1218.015 Electron Applications T1222.001 Windows File and Directory Permissions Modification T1222.002 Linux and Mac File and Directory Permissions Modification T1542.001 System Firmware T1542.003 Bootkit T1542.004 ROMMONkit T1542.005 TFTP Boot T1548.002 Bypass User Account Control T1548.003 Sudo and Sudo Caching T1548.005 Temporary Elevated Cloud Access T1548.006 TCC Manipulation T1550.002 Pass the Hash T1550.003 Pass the Ticket T1553.006 Code Signing Policy Modification T1556.001 Domain Controller Authentication T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.008 Network Provider DLL T1556.009 Conditional Access Policies T1562.001 Disable or Modify Tools T1562.002 Disable Windows Event Logging T1562.004 Disable or Modify System Firewall T1562.006 Indicator Blocking T1562.007 Disable or Modify Cloud Firewall T1562.008 Disable or Modify Cloud Logs T1562.009 Safe Mode Boot T1562.011 Spoof Security Alerting T1562.012 Disable or Modify Linux Audit System T1564.008 Email Hiding Rules T1574.005 Executable Installer File Permissions Weakness T1574.010 Services File Permissions Weakness T1574.011 Services Registry Permissions Weakness T1574.012 COR_PROFILER T1574.014 AppDomainManager T1578.001 Create Snapshot T1578.002 Create Cloud Instance T1578.003 Delete Cloud Instance T1599.001 Network Address Translation Traversal T1601.001 Patch System Image T1601.002 Downgrade System Image
Credential Access
T1003 OS Credential Dumping T1528 Steal Application Access Token T1552 Unsecured Credentials T1556 Modify Authentication Process T1558 Steal or Forge Kerberos Tickets T1621 Multi-Factor Authentication Request Generation T1003.001 LSASS Memory T1003.002 Security Account Manager T1003.003 NTDS T1003.004 LSA Secrets T1003.005 Cached Domain Credentials T1003.006 DCSync T1003.007 Proc Filesystem T1003.008 /etc/passwd and /etc/shadow T1056.003 Web Portal Capture T1552.002 Credentials in Registry T1552.007 Container API T1556.001 Domain Controller Authentication T1556.003 Pluggable Authentication Modules T1556.004 Network Device Authentication T1556.008 Network Provider DLL T1556.009 Conditional Access Policies T1558.001 Golden Ticket T1558.002 Silver Ticket T1558.003 Kerberoasting
Discovery
Lateral Movement
T1021 Remote Services T1072 Software Deployment Tools T1210 Exploitation of Remote Services T1550 Use Alternate Authentication Material T1563 Remote Service Session Hijacking T1021.001 Remote Desktop Protocol T1021.002 SMB/Windows Admin Shares T1021.003 Distributed Component Object Model T1021.004 SSH T1021.005 VNC T1021.006 Windows Remote Management T1021.008 Direct Cloud VM Connections T1550.002 Pass the Hash T1550.003 Pass the Ticket T1563.001 SSH Hijacking T1563.002 RDP Hijacking
Collection
Compliance Mappings
ISO 27001:2022
A.8.19A.8.32A.8.4A.8.9
ISO 27002:2022
5.378.198.328.48.9
COBIT 2019
BAI06BAI10
CIS Controls v8
CIS 12.3CIS 4.6
PCI DSS v4.0.1
6.5
CSA CCM v4
CCC-03CCC-04
CSA AICM v1
CCC-03CCC-04IAM-19MDS-04MDS-07
FINOS CCC
CCC-C07
ISO 42001:2023
A.6.2.5
BSI IT-Grundschutz
OPS.1.1.2
ANSSI
Hygiene.15Hygiene.16Hygiene.17Hygiene.34SecNumCloud.13.2
FINMA Circular 2023/1
IV.A(36)IV.A(37)IV.B.d(59)
OSFI B-13
B-13.2.3B-13.3.2
EU GDPR
Art.32(1)(b)
EU DORA
Art.9(4)(c)Art.9(4)(e)
BIO2
5.378.198.328.48.9
RBI CSF
Annex1.7ITGRCA.13
FISC Security Guidelines
FISC.O3
HKMA TM-E-1
TME1.3.3TME1.4.1TME1.4.2
MLPS 2.0
8.1.10.88.1.5.1
DNB Good Practice
DNB.10.1DNB.10.5DNB.7.1
SWIFT CSCF
SWIFT.6.2
SAMA CSF
3.5
NCA ECC
2-3
UAE IA
T10T7
CBB TM
TM-5
Qatar NIA
OSSD
CBUAE
CR-7
CBE CSF
CTO-12
SA JS2
JS2-7.2
CBN CSF
Part3.3
BoG CISD
CISD-VI
BoM CTRM
3.6
IOSCO Cyber Resilience
PROT-6
CPMI-IOSCO PFMI
CG.PR
FFIEC IS
II.C.10II.C.7(c)
ECB CROE
CROE.2.3.4
EBA ICT Guidelines
3.4.43.6.3
SEBI CSCRF
PR.IP
BOT Cyber Resilience
Ch2.1
CMMC 2.0
CM
10 CFR 73.54
RG5.71-B-CM
IEEE 1686-2022
5.4
DOE C2M2 v2.1
ASSET
PCI PTS v6
B
FIPS 140-3
FIPS 140-3 §7.11
PCI HSM
4
Common Criteria
CC Part 2 — FMT
ISAE 3402
Clause 4
Solvency II
EIOPA-ICT-4.11EIOPA-ICT-4.8
Lloyd's Minimum Standards
MS5.1MS8.4
NAIC Insurance Data Security
4-config
PRA SS1/23
P3.3P3.4
FCA SYSC 13
SYSC 13.6.2SYSC 13.7.4
HITRUST CSF v11
09.a
FDA 21 CFR Part 11
§11.10(k)
FDA Cybersecurity Guidance
SA-3
NHS DSPT
NDG-4.4
CCSS v9.0
1.01.3
Basel SCO60
SCO60.52SCO60.66
BSSC Standards
TIS-08GSP-14
SEC Custody (Digital Assets)
SEC-CD-05
ISO 17799 (legacy)
11.6.1
COBIT 4.1 (legacy)
None.