# M1026 — Privileged Account Management ## Descrição O Privileged Account Management foca na implementação de políticas, controles e ferramentas para gerenciar contas privilegiadas (ex: SYSTEM, root ou contas administrativas) de forma segura. Isso inclui restringir acessos, limitar o escopo de permissões, monitorar o uso de contas privilegiadas e garantir responsabilização por meio de logging e auditoria. Esta mitigação pode ser implementada por meio das seguintes medidas: Permissões e Funções de Contas: - Implementar RBAC e princípios de menor privilégio para alocar permissões de forma segura. - Usar ferramentas como Active Directory Group Policies para aplicar restrições de acesso. Segurança de Credenciais: - Implantar ferramentas de cofre de senhas como CyberArk, HashiCorp Vault ou KeePass para armazenamento e rotação segura de credenciais. - Aplicar políticas de senha para complexidade, unicidade e expiração usando ferramentas como Microsoft Group Policy Objects (GPO). Autenticação Multifator (MFA): - Aplicar MFA para todas as contas privilegiadas usando Duo Security, Okta ou Microsoft Azure AD MFA. Privileged Access Management (PAM): - Usar soluções PAM como CyberArk, BeyondTrust ou Thycotic para gerenciar, monitorar e auditar acesso privilegiado. Auditoria e Monitoramento: - Integrar monitoramento de atividades ao SIEM (ex: Splunk ou QRadar) para detectar e alertar sobre uso anômalo de contas privilegiadas. Acesso Just-In-Time: - Implantar soluções JIT como Azure Privileged Identity Management (PIM) ou configurar funções efêmeras no AWS e GCP para conceder permissões elevadas por tempo limitado. *Ferramentas para Implementação* Privileged Access Management (PAM): - CyberArk, BeyondTrust, Thycotic, HashiCorp Vault. Gerenciamento de Credenciais: - Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass. Autenticação Multifator: - Duo Security, Okta, Microsoft Azure MFA, Google Authenticator. Gerenciamento de Privilégios Linux: - Configuração de sudo, SELinux, AppArmor. Acesso Just-In-Time: - Azure Privileged Identity Management (PIM), AWS IAM Roles com restrições de sessão, GCP Identity-Aware Proxy. ## Fluxo de Implementação ```mermaid graph TB A["Inventariar Contas Priv.<br/>Mapear admins locais e de domínio"] --> B["Implantar PAM<br/>CyberArk / BeyondTrust / HashiCorp"] B --> C["Aplicar JIT Access<br/>Permissões temporárias e auditadas"] C --> D["Enforcar MFA<br/>Para toda conta privilegiada"] D --> E["Monitorar e Alertar<br/>SIEM + anomalias de uso"] ``` ## Contexto LATAM > [!globe] Relevância Regional > O gerenciamento de contas privilegiadas é uma das maiores lacunas de segurança no Brasil. Ataques de Kerberoasting ([[t1558-003-kerberoasting|T1558.003]]) e Pass-the-Hash ([[t1550-002-pass-the-hash|T1550.002]]) são amplamente usados em campanhas que visam Active Directory de empresas brasileiras, especialmente no setor financeiro e governo. > - Adoção em SOCs brasileiros: baixo (PAM comercial tem custo elevado; muitas empresas usam apenas GPO) > - Regulamentações relevantes: BACEN 4893 (controle de acesso privilegiado para IFs), LGPD (responsabilidade sobre acesso a dados pessoais), PCI-DSS (seção 7 e 8) > - Desafios regionais: custo de soluções PAM enterprise, falta de profissionais especializados, resistência cultural à restrição de privilégios em TI ## Técnicas Mitigadas | ID | Técnica | |---|---------| | T1053.005 | [[t1053-005-scheduled-task\|T1053.005 — Scheduled Task]] | | T1550.003 | [[t1550-003-pass-the-ticket\|T1550.003 — Pass the Ticket]] | | T1555.006 | [[t1555-006-cloud-secrets-management-stores\|T1555.006 — Cloud Secrets Management Stores]] | | T1505.004 | [[t1505-004-iis-components\|T1505.004 — IIS Components]] | | T1556.005 | [[t1556-005-reversible-encryption\|T1556.005 — Reversible Encryption]] | | T1555 | [[t1555-credentials-from-password-stores\|T1555 — Credentials from Password Stores]] | | T1569.002 | [[t1569-002-service-execution\|T1569.002 — Service Execution]] | | T1505.002 | [[t1505-002-transport-agent\|T1505.002 — Transport Agent]] | | T1047 | [[t1047-windows-management-instrumentation\|T1047 — Windows Management Instrumentation]] | | T1552.002 | [[t1552-002-credentials-in-registry\|T1552.002 — Credentials in Registry]] | | T1098.003 | [[t1098-003-additional-cloud-roles\|T1098.003 — Additional Cloud Roles]] | | T1222.001 | [[t1222-001-windows-file-and-directory-permissions-modification\|T1222.001 — Windows File and Directory Permissions Modification]] | | T1556.003 | [[t1556-003-pluggable-authentication-modules\|T1556.003 — Pluggable Authentication Modules]] | | T1021.006 | [[t1021-006-windows-remote-management\|T1021.006 — Windows Remote Management]] | | T1569 | [[t1569-system-services\|T1569 — System Services]] | | T1599 | [[t1599-network-boundary-bridging\|T1599 — Network Boundary Bridging]] | | T1003.008 | [[t1003-008-etcpasswd-and-etcshadow\|T1003.008 — /etc/passwd and /etc/shadow]] | | T1072 | [[t1072-software-deployment-tools\|T1072 — Software Deployment Tools]] | | T1543 | [[t1543-create-or-modify-system-process\|T1543 — Create or Modify System Process]] | | T1553.006 | [[t1553-006-code-signing-policy-modification\|T1553.006 — Code Signing Policy Modification]] | | T1484 | [[t1484-domain-or-tenant-policy-modification\|T1484 — Domain or Tenant Policy Modification]] | | T1547.006 | [[t1547-006-kernel-modules-and-extensions\|T1547.006 — Kernel Modules and Extensions]] | | T1134.003 | [[t1134-003-make-and-impersonate-token\|T1134.003 — Make and Impersonate Token]] | | T1542.001 | [[t1542-001-system-firmware\|T1542.001 — System Firmware]] | | T1078.002 | [[t1078-002-domain-accounts\|T1078.002 — Domain Accounts]] | | T1190 | [[t1190-exploit-public-facing-application\|T1190 — Exploit Public-Facing Application]] | | T1078.004 | [[t1078-004-cloud-accounts\|T1078.004 — Cloud Accounts]] | | T1078.003 | [[t1078-003-local-accounts\|T1078.003 — Local Accounts]] | | T1558.002 | [[t1558-002-silver-ticket\|T1558.002 — Silver Ticket]] | | T1612 | [[t1612-build-image-on-host\|T1612 — Build Image on Host]] | | T1484.002 | [[t1484-002-trust-modification\|T1484.002 — Trust Modification]] | | T1098.002 | [[t1098-002-additional-email-delegate-permissions\|T1098.002 — Additional Email Delegate Permissions]] | | T1059.013 | [[t1059-013-container-cliapi\|T1059.013 — Container CLI/API]] | | T1003.003 | [[t1003-003-ntds\|T1003.003 — NTDS]] | | T1222.002 | [[t1222-002-linux-and-mac-file-and-directory-permissions-modification\|T1222.002 — Linux and Mac File and Directory Permissions Modification]] | | T1542.005 | [[t1542-005-tftp-boot\|T1542.005 — TFTP Boot]] | | T1134.002 | [[t1134-002-create-process-with-token\|T1134.002 — Create Process with Token]] | | T1606 | [[t1606-forge-web-credentials\|T1606 — Forge Web Credentials]] | | T1559.001 | [[t1559-001-component-object-model\|T1559.001 — Component Object Model]] | | T1611 | [[t1611-escape-to-host\|T1611 — Escape to Host]] | | T1136.003 | [[t1136-003-cloud-account\|T1136.003 — Cloud Account]] | | T1218 | [[t1218-system-binary-proxy-execution\|T1218 — System Binary Proxy Execution]] | | T1550 | [[t1550-use-alternate-authentication-material\|T1550 — Use Alternate Authentication Material]] | | T1053.007 | [[t1053-007-container-orchestration-job\|T1053.007 — Container Orchestration Job]] | | T1553 | [[t1553-subvert-trust-controls\|T1553 — Subvert Trust Controls]] | | T1003.002 | [[t1003-002-security-account-manager\|T1003.002 — Security Account Manager]] | | T1055 | [[t1055-process-injection\|T1055 — Process Injection]] | | T1548 | [[t1548-abuse-elevation-control-mechanism\|T1548 — Abuse Elevation Control Mechanism]] | | T1556.001 | [[t1556-001-domain-controller-authentication\|T1556.001 — Domain Controller Authentication]] | | T1552.007 | [[t1552-007-container-api\|T1552.007 — Container API]] | | T1078 | [[t1078-valid-accounts\|T1078 — Valid Accounts]] | | T1098.001 | [[t1098-001-additional-cloud-credentials\|T1098.001 — Additional Cloud Credentials]] | | T1525 | [[t1525-implant-internal-image\|T1525 — Implant Internal Image]] | | T1053 | [[t1053-scheduled-taskjob\|T1053 — Scheduled Task/Job]] | | T1548.002 | [[t1548-002-bypass-user-account-control\|T1548.002 — Bypass User Account Control]] | | T1021.002 | [[t1021-002-smbwindows-admin-shares\|T1021.002 — SMB/Windows Admin Shares]] | | T1548.006 | [[t1548-006-tcc-manipulation\|T1548.006 — TCC Manipulation]] | | T1542.003 | [[t1542-003-bootkit\|T1542.003 — Bootkit]] | | T1222 | [[t1222-file-and-directory-permissions-modification\|T1222 — File and Directory Permissions Modification]] | | T1609 | [[t1609-container-administration-command\|T1609 — Container Administration Command]] | | T1562.009 | [[t1562-009-safe-mode-boot\|T1562.009 — Safe Mode Boot]] | | T1210 | [[t1210-exploitation-of-remote-services\|T1210 — Exploitation of Remote Services]] | | T1098 | [[t1098-account-manipulation\|T1098 — Account Manipulation]] | | T1003 | [[t1003-os-credential-dumping\|T1003 — OS Credential Dumping]] | | T1546 | [[t1546-event-triggered-execution\|T1546 — Event Triggered Execution]] | | T1601.001 | [[t1601-001-patch-system-image\|T1601.001 — Patch System Image]] | | T1558.001 | [[t1558-001-golden-ticket\|T1558.001 — Golden Ticket]] | | T1556.007 | [[t1556-007-hybrid-identity\|T1556.007 — Hybrid Identity]] | | T1546.003 | [[t1546-003-windows-management-instrumentation-event-subscription\|T1546.003 — Windows Management Instrumentation Event Subscription]] | | T1003.001 | [[t1003-001-lsass-memory\|T1003.001 — LSASS Memory]] | | T1059 | [[t1059-command-and-scripting-interpreter\|T1059 — Command and Scripting Interpreter]] | | T1056.003 | [[t1056-003-web-portal-capture\|T1056.003 — Web Portal Capture]] | | T1550.002 | [[t1550-002-pass-the-hash\|T1550.002 — Pass the Hash]] | | T1601.002 | [[t1601-002-downgrade-system-image\|T1601.002 — Downgrade System Image]] | | T1542 | [[t1542-pre-os-boot\|T1542 — Pre-OS Boot]] | | T1136 | [[t1136-create-account\|T1136 — Create Account]] | | T1495 | [[t1495-firmware-corruption\|T1495 — Firmware Corruption]] | | T1606.002 | [[t1606-002-saml-tokens\|T1606.002 — SAML Tokens]] | | T1563.002 | [[t1563-002-rdp-hijacking\|T1563.002 — RDP Hijacking]] | | T1134 | [[t1134-access-token-manipulation\|T1134 — Access Token Manipulation]] | | T1543.002 | [[t1543-002-systemd-service\|T1543.002 — Systemd Service]] | | T1136.001 | [[t1136-001-local-account\|T1136.001 — Local Account]] | | T1003.005 | [[t1003-005-cached-domain-credentials\|T1003.005 — Cached Domain Credentials]] | | T1556.004 | [[t1556-004-network-device-authentication\|T1556.004 — Network Device Authentication]] | | T1003.004 | [[t1003-004-lsa-secrets\|T1003.004 — LSA Secrets]] | | T1059.009 | [[t1059-009-cloud-api\|T1059.009 — Cloud API]] | | T1559 | [[t1559-inter-process-communication\|T1559 — Inter-Process Commúnication]] | | T1505.001 | [[t1505-001-sql-stored-procedures\|T1505.001 — SQL Stored Procedures]] | | T1055.008 | [[t1055-008-ptrace-system-calls\|T1055.008 — Ptrace System Calls]] | | T1599.001 | [[t1599-001-network-address-translation-traversal\|T1599.001 — Network Address Translation Traversal]] | | T1003.007 | [[t1003-007-proc-filesystem\|T1003.007 — Proc Filesystem]] | | T1134.001 | [[t1134-001-token-impersonationtheft\|T1134.001 — Token Impersonation/Theft]] | | T1003.006 | [[t1003-006-dcsync\|T1003.006 — DCSync]] | | T1556 | [[t1556-modify-authentication-process\|T1556 — Modify Authentication Process]] | | T1021.007 | [[t1021-007-cloud-services\|T1021.007 — Cloud Services]] | | T1601 | [[t1601-modify-system-image\|T1601 — Modify System Image]] | | T1053.002 | [[t1053-002-at\|T1053.002 — At]] | | T1552 | [[t1552-unsecured-credentials\|T1552 — Unsecured Credentials]] | | T1563 | [[t1563-remote-service-session-hijacking\|T1563 — Remote Service Session Hijacking]] | | T1563.001 | [[t1563-001-ssh-hijacking\|T1563.001 — SSH Hijacking]] | | T1059.001 | [[t1059-001-powershell\|T1059.001 — PowerShell]] | | T1021.001 | [[t1021-001-remote-desktop-protocol\|T1021.001 — Remote Desktop Protocol]] | | T1053.006 | [[t1053-006-systemd-timers\|T1053.006 — Systemd Timers]] | | T1136.002 | [[t1136-002-domain-account\|T1136.002 — Domain Account]] | | T1021.003 | [[t1021-003-distributed-component-object-model\|T1021.003 — Distributed Component Object Model]] | | T1059.008 | [[t1059-008-network-device-cli\|T1059.008 — Network Device CLI]] | | T1218.007 | [[t1218-007-msiexec\|T1218.007 — Msiexec]] | | T1505 | [[t1505-server-software-component\|T1505 — Server Software Component]] | | T1548.003 | [[t1548-003-sudo-and-sudo-caching\|T1548.003 — Sudo and Sudo Caching]] | | T1651 | [[t1651-cloud-administration-command\|T1651 — Cloud Administration Command]] | | T1558.003 | [[t1558-003-kerberoasting\|T1558.003 — Kerberoasting]] | | T1558 | [[t1558-steal-or-forge-kerberos-tickets\|T1558 — Steal or Forge Kerberos Tickets]] | --- *Fonte: [MITRE ATT&CK — M1026](https://attack.mitre.org/mitigations/M1026)*