CIS_v8CIS Control 6voice-validated
CIS_v8 6: CIS Control 6
CIS_v8
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1078 | 1. Attackers exploit valid accounts to gain initial access, maintain persistence, and escalate privileges. Control 6 directly addresses this by mandating robust management of user, administrator, and service accounts, including creation, assignment, and revocation processes. This reduces the attack surface for credential-based attacks. | 90% |
| T1003 | 1. Credential dumping techniques aim to extract credentials from system memory or storage. Implementing strong access credential management, as per Control 6, reduces the likelihood of easily accessible or weak credentials being present, making dumping less effective. This includes secure storage and handling of credentials. | 80% |
| T1098 | 1. Account manipulation involves modifying existing accounts or creating new ones for persistence or privilege escalation. Control 6's requirement for managing and revoking access credentials and privileges directly counters this by ensuring unauthorized account changes are detected and remediated, and dormant accounts are removed. | 80% |
| T1136 | 1. Creating new accounts provides attackers with persistence and potential access. Control 6 mandates processes for creating and managing accounts, ensuring that all new accounts are authorized, properly configured with least privilege, and monitored, thereby preventing unauthorized account creation. | 80% |
| T1055 | 1. Process injection can be used to run code in the context of a privileged process, potentially leading to privilege escalation. While not directly preventing injection, Control 6's focus on least privilege for service accounts and administrators limits the impact of such an attack by reducing the privileges available to compromised processes. | 60% |
| T1068 | 1. Exploitation for privilege escalation often relies on vulnerabilities that grant higher privileges. Control 6, by enforcing least privilege, limits the initial access an attacker gains, making it harder to find and exploit vulnerabilities that lead to significant privilege escalation from a low-privileged account. | 70% |
| T1027 | 1. Obfuscated files or information can hide malicious code or credentials. While Control 6 primarily focuses on credential management, strong access controls and privilege separation make it harder for attackers to deploy or execute obfuscated code that requires elevated privileges. | 50% |
| T1078.001 | 1. Default accounts are a common target for initial access. Control 6's emphasis on managing and revoking access credentials includes securing or disabling default accounts, significantly reducing this attack vector. This ensures all accounts are actively managed and secured. | 90% |
| T1078.002 | 1. Domain accounts are critical targets for attackers seeking broad access. Control 6 directly addresses the management of these accounts, including their creation, privileges, and revocation, thereby limiting unauthorized access and potential lateral movement within a domain. | 90% |
| T1078.003 | 1. Local accounts, especially those with administrative privileges, are frequently exploited. Control 6 mandates the management and revocation of these credentials, ensuring that local administrative accounts are properly secured, monitored, and their privileges are minimized. | 90% |
| T1078.004 | 1. Cloud accounts are a primary target for initial access and resource manipulation. Control 6 extends to managing credentials and privileges for cloud-based user, administrator, and service accounts, ensuring consistent security policies across hybrid environments. | 90% |
| T1003.001 | 1. Dumping LSASS memory is a common method for credential theft. Control 6's focus on least privilege and secure credential storage reduces the chances of an attacker gaining the necessary privileges to dump LSASS or finding valuable credentials within it. | 80% |
| T1003.002 | 1. Extracting credentials from the Security Account Manager (SAM) database is a direct credential access technique. Control 6 mitigates this by enforcing strong password policies and limiting access to the SAM database to only authorized, privileged accounts. | 80% |
| T1003.003 | 1. NTDS.dit file dumping targets Active Directory credentials. Control 6's principles of least privilege and strict management of domain administrator accounts directly reduce the risk of an attacker gaining access to this critical file. | 80% |
| T1003.005 | 1. Cached domain credentials can be targeted for offline cracking or reuse. Control 6, through strong password policies and regular credential rotation, reduces the utility of such cached credentials if they are compromised. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1030 | 1. User account management is central to Control 6, which mandates processes for creating, assigning, managing, and revoking access credentials. This directly implements M1030 by ensuring all accounts are properly controlled throughout their lifecycle. | 90% |
| M1026 | 1. Privileged account management is a core component of Control 6, requiring specific processes for administrator and service accounts. This directly aligns with M1026 by ensuring these high-value accounts are rigorously controlled and monitored. | 90% |
| M1043 | 1. Multi-factor authentication (MFA) enhances credential security. While not explicitly stated in Control 6, strong credential management often includes MFA as a best practice, making compromised credentials less useful to attackers. This strengthens the overall access control posture. | 80% |
| M1017 | 1. User training is crucial for preventing credential compromise. Control 6's effectiveness relies on users understanding and adhering to secure credential practices, which is reinforced through training programs (M1017). This reduces human error in credential handling. | 80% |
| M1032 | 1. Standard user accounts limit the impact of compromise. Control 6 promotes the use of least privilege, ensuring that users operate with the minimum necessary permissions, thus aligning with M1032 by reducing the scope of potential damage from a compromised account. | 70% |
| M1027 | 1. Password policies are fundamental to credential strength. Control 6's requirement for managing access credentials implicitly includes enforcing strong password policies (M1027) to prevent brute-force attacks and credential guessing. | 70% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-798 | 1. Use of hard-coded credentials bypasses proper access management. Control 6 directly addresses this by requiring processes to create, assign, manage, and revoke credentials, preventing the existence of unmanaged, hard-coded secrets. | 90% |
| CWE-287 | 1. Improper authentication allows unauthorized access. Control 6 mitigates this by ensuring credentials are properly managed and revoked, enforcing legitimate authentication processes and preventing unauthorized access attempts. | 90% |
| CWE-269 | 1. Improper privilege management leads to excessive permissions. Control 6 directly counters this by requiring processes to manage and revoke privileges, ensuring least privilege is applied to all user, administrator, and service accounts. | 80% |
| CWE-306 | 1. Missing authentication for critical function allows unauthorized actions. Control 6 ensures that all access to enterprise assets and software is governed by properly managed and authenticated credentials, preventing unauthenticated access to critical functions. | 80% |
| CWE-284 | 1. Improper access control allows unauthorized actions. Control 6 directly addresses this by establishing formal processes for assigning and revoking access credentials and privileges, ensuring that only authorized entities can perform specific actions. | 70% |
| CWE-259 | 1. Use of hard-coded passwords creates a significant security risk. Control 6's mandate for managing and revoking credentials discourages and helps eliminate the practice of hard-coding passwords, promoting dynamic and secure credential handling. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0199 compute · voice-rubric self-validated