• MITRE logo
  • matrix
  • artifacts
  • about
  • resources
  • contribute
  • faq
  • NSA logo
Esc

Bypass User Access Control - T1548.002

(ATT&CK® Technique)


D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

graph LR; T1548002["Bypass User Access Control"] --> |invokes| CreateProcess["Create Process"]; class T1548002 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1548002["Bypass User Access Control"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1548002 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1548002["Bypass User Access Control"] --> |executes| ExecutableFile["Executable File"]; class T1548002 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1548002["Bypass User Access Control"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; FileEncryption["File Encryption"] -.-> | May Harden | T1548002["Bypass User Access Control"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1548002["Bypass User Access Control"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";
json





Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the Terms of Use. Use of the MITRE D3FEND website is subject to the MITRE D3FEND Privacy Policy. MITRE D3FEND is funded by the National Security Agency (NSA) Cybersecurity Directorate and managed by the National Security Engineering Center (NSEC) which is operated by The MITRE Corporation. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE Corporation. MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. MITRE ATT&CK content is subject to the MITRE ATT&CK terms of use. This software was produced for the U. S. Government under Basic Contract No. W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause 252.227-7014 (FEB 2012)
© 2022 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited #20-2338.