Esc
Bypass User Access Control - T1548.002
(ATT&CK® Technique)
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1548002["Bypass User Access Control"] --> |invokes| CreateProcess["Create Process"]; class T1548002 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1548002["Bypass User Access Control"] --> |executes| ExecutableFile["Executable File"]; class T1548002 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1548002["Bypass User Access Control"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1548002 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | ExecutableFile["Executable File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | restricts | CreateProcess["Create Process"]; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | restricts | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; FileRemoval["File Removal"] --> | deletes | ExecutableFile["Executable File"]; FileRemoval["File Removal"] -.-> | May Evict | T1548002["Bypass User Access Control"] ; class FileRemoval DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileRemoval href "/technique/d3f:FileRemoval"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1548002["Bypass User Access Control"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; FileEncryption["File Encryption"] -.-> | May Harden | T1548002["Bypass User Access Control"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1548002["Bypass User Access Control"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] --> | restores | ExecutableFile["Executable File"]; RestoreFile["Restore File"] -.-> | May Restore | T1548002["Bypass User Access Control"] ; class RestoreFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; RestoreConfiguration["Restore Configuration"] -.-> | May Restore | T1548002["Bypass User Access Control"] ; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; MandatoryAccessControl["Mandatory Access Control"] --> | restricts | CreateProcess["Create Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class MandatoryAccessControl DefensiveTechniqueNode; class CreateProcess ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";