Bypass User Access Control - T1548.002

graph LR; T1548002["Bypass User Access Control"] --> |invokes| CreateProcess["Create Process"]; class T1548002 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1548002["Bypass User Access Control"] --> |executes| ExecutableFile["Executable File"]; class T1548002 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1548002["Bypass User Access Control"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1548002 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1548002 href "/offensive-technique/attack/T1548.002/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; FileEncryption["File Encryption"] -.-> | May Harden | T1548002["Bypass User Access Control"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1548002["Bypass User Access Control"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1548002["Bypass User Access Control"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | restricts | CreateProcess["Create Process"]; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | restricts | CreateProcess["Create Process"]; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ConfigurationInventory["Configuration Inventory"] --> | inventories | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; ConfigurationInventory["Configuration Inventory"] -.-> | May Model | T1548002["Bypass User Access Control"] ; class ConfigurationInventory DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click ConfigurationInventory href "/technique/d3f:ConfigurationInventory"; AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] --> | evaluates | CreateProcess["Create Process"]; AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] -.-> | May Model | T1548002["Bypass User Access Control"] ; class AssetVulnerabilityEnumeration DefensiveTechniqueNode; class CreateProcess ArtifactNode; click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration"; AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] --> | evaluates | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class AssetVulnerabilityEnumeration DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration"; AssetVulnerabilityEnumeration["Asset Vulnerability Enumeration"] --> | evaluates | ExecutableFile["Executable File"]; class AssetVulnerabilityEnumeration DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click AssetVulnerabilityEnumeration href "/technique/d3f:AssetVulnerabilityEnumeration"; MandatoryAccessControl["Mandatory Access Control"] --> | restricts | CreateProcess["Create Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class MandatoryAccessControl DefensiveTechniqueNode; class CreateProcess ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | May Isolate | T1548002["Bypass User Access Control"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1548002["Bypass User Access Control"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis";