Access Mediation - Technique D3-AMED | MITRE D3FEND™

Access Mediation - Technique D3-AMED | MITRE D3FEND™
Esc
Access Mediation
D3-AMED
D3-AMED (Access Mediation)
Definition
Access mediation is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances). Access mediation decisions should enforce least privilege by granting access for scoped durations to prevent privilege creep and, where applicable, implement just-in-time (JIT) access. Denial decisions may prevent initial access or terminate access that has already been granted, ensuring continuous enforcement of security policies.
Synonyms:
Access Control.
Artifact Relationships:
This defensive technique is related to specific artifacts. Click the artifact node for
more information.
json
Technique Subclasses
There are 17 techniques in this category,
Access Mediation
Name
ID
Definition
Synonyms
Access Mediation
D3-AMED
Access mediation is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances). Access mediation decisions should enforce least privilege by granting access for scoped durations to prevent privilege creep and, where applicable, implement just-in-time (JIT) access. Denial decisions may prevent initial access or terminate access that has already been granted, ensuring continuous enforcement of security policies.
Access Control
Endpoint-based Web Server Access Mediation
D3-EBWSAM
Endpoint-based web server access mediation regulates web server access directly from user endpoints by implementing mechanisms such as client-side certificates and endpoint security software to authenticate devices and ensure compliant access.
Credential Transmission Scoping
D3-CTS
Limiting the transmission of a credential to a scoped set of relying parties.
Phishing Resistant Authentication
Local File Access Mediation
D3-LFAM
Local file access mediation is the process of an operating system granting or denying a specific access request to a local file.
Local File Access Control
Network Access Mediation
D3-NAM
Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet.
Network Access Control
Operating Mode Restriction
D3-OPR
Restricting unauthorized changes to the operating mode prevents devices from switching into inappropriate or vulnerable states during normal use.
Remote File Access Mediation
D3-RFAM
Remote file access mediation is the process of managing and securing access to file systems over a network to ensure that only authorized users or processes can interact with remote files.
File Share Access Mediation
System Call Filtering
D3-SCF
Controlling access to local computer system resources with kernel-level capabilities.
System Call Control
Physical Access Mediation
D3-PAM
Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances.)
Physical Access Control
Physical Locking
D3-EPL
Employ a mechanical locking device for securing moveable portions of physical barriers (e.g., doors, gates, drawers) in a secured position.
IO Port Restriction
D3-IOPR
Limiting access to computer input/output (IO) ports to restrict unauthorized devices.
Proxy-based Web Server Access Mediation
D3-PBWSAM
Proxy-based web server access mediation focuses on the regulation of web server access through intermediary proxy servers.
OT Variable Access Restriction
D3-OVAR
Assign read/write access controls on designated registers or data tags to prevent unauthorized writes.
OT Variable Access Policy
Web Session Access Mediation
D3-WSAM
Web session access mediation secures user sessions in web applications by employing robust authentication and integrity validation, along with adaptive threat mitigation techniques, to ensure that access to web resources is authorized and protected from session-related attacks.
LAN Access Mediation
D3-LAMED
LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern connectivity to a Local Area Network.
Routing Access Mediation
D3-RAM
Routing access mediation is a network security approach that manages and controls access at the network layer using VPNs, tunneling protocols, firewall rules, and traffic inspection to ensure secure and efficient data routing.
Network Resource Access Mediation
D3-NRAM
Control of access to organizational systems and services by users or processes over a network.
Remote Access Control
Related ATT&CK Techniques:
These mappings are inferred, experimental, and will improve as the
knowledge graph grows.
These offensive techniques are determined related because of the way
this defensive technique,
, and
Lateral Movement
Taint Shared Content
Software Deployment Tools
Use Alternate Authentication Material
Application Access Token
Web Session Cookie
Internal Spearphishing
Replication Through Removable Media
Privilege Escalation
Abuse Elevation Control Mechanism
Bypass User Account Control
Elevated Execution with Prompt
Sudo and Sudo Caching
Access Token Manipulation
Token Impersonation/Theft
Parent PID Spoofing
Create Process with Token
Make and Impersonate Token
Process Injection
VDSO Hijacking
Ptrace System Calls
Thread Execution Hijacking
Portable Executable Injection
Asynchronous Procedure Call
Process Doppelgänging
Proc Memory
Dynamic-link Library Injection
Thread Local Storage
Account Manipulation
Additional Cloud Credentials
Boot or Logon Autostart Execution
Kernel Modules and Extensions
Re-opened Applications
Plist Modification
Shortcut Modification
Registry Run Keys / Startup Folder
LSASS Driver
Event Triggered Execution
Unix Shell Configuration Modification
Screensaver
Netsh Helper DLL
Component Object Model Hijacking
AppInit DLLs
Emond
LC_LOAD_DYLIB Addition
Accessibility Features
PowerShell Profile
Trap
AppCert DLLs
Hijack Execution Flow
DLL Side-Loading
Dylib Hijacking
COR_PROFILER
Path Interception by Unquoted Path
DLL
Path Interception by PATH Environment Variable
Dynamic Linker Hijacking
Path Interception by Search Order Hijacking
Create or Modify System Process
Launch Daemon
Launch Agent
Systemd Service
Scheduled Task/Job
Launchd
Scheduled Task
Boot or Logon Initialization Scripts
RC Scripts
Login Hook
Network Logon Script
Logon Script (Windows)
Command And Control
Encrypted Channel
Asymmetric Cryptography
Application Layer Protocol
Web Protocols
Communication Through Removable Media
Impact
Defacement
External Defacement
Data Encrypted for Impact
Data Manipulation
Stored Data Manipulation
Runtime Data Manipulation
Collection
Data from Network Shared Drive
Audio Capture
Data Staged
Remote Data Staging
Local Data Staging
Screen Capture
Automated Collection
Data from Information Repositories
Sharepoint
Confluence
Video Capture
Archive Collected Data
Archive via Custom Method
Archive via Library
Archive via Utility
Data from Removable Media
Data from Local System
Input Capture
Keylogging
Email Collection
Local Email Collection
Discovery
System Network Configuration Discovery
Application Window Discovery
Software Discovery
Security Software Discovery
System Service Discovery
System Information Discovery
Remote System Discovery
System Owner/User Discovery
System Network Connections Discovery
System Time Discovery
File and Directory Discovery
Query Registry
Process Discovery
Virtualization/Sandbox Evasion
Time Based Checks
Persistence
Account Manipulation
Additional Cloud Credentials
Office Application Startup
Office Template Macros
Outlook Forms
Boot or Logon Autostart Execution
Kernel Modules and Extensions
Re-opened Applications
Plist Modification
Shortcut Modification
Registry Run Keys / Startup Folder
LSASS Driver
Event Triggered Execution
Unix Shell Configuration Modification
Screensaver
Netsh Helper DLL
Component Object Model Hijacking
AppInit DLLs
Emond
LC_LOAD_DYLIB Addition
Accessibility Features
PowerShell Profile
Trap
AppCert DLLs
Hijack Execution Flow
DLL Side-Loading
Dylib Hijacking
COR_PROFILER
Path Interception by Unquoted Path
DLL
Path Interception by PATH Environment Variable
Dynamic Linker Hijacking
Path Interception by Search Order Hijacking
Server Software Component
Transport Agent
Web Shell
SQL Stored Procedures
Modify Authentication Process
Password Filter DLL
Pluggable Authentication Modules
Create or Modify System Process
Launch Daemon
Launch Agent
Systemd Service
Scheduled Task/Job
Launchd
Scheduled Task
Boot or Logon Initialization Scripts
RC Scripts
Login Hook
Network Logon Script
Logon Script (Windows)
Initial Access
Phishing
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Replication Through Removable Media
Execution
Software Deployment Tools
User Execution
Malicious File
Command and Scripting Interpreter
Scheduled Task/Job
Launchd
Scheduled Task
Windows Management Instrumentation
Native API
Credential Access
Exploitation for Credential Access
Brute Force
Password Guessing
Password Spraying
Password Cracking
OS Credential Dumping
NTDS
/etc/passwd and /etc/shadow
Cached Domain Credentials
LSASS Memory
Proc Filesystem
LSA Secrets
Security Account Manager
Steal or Forge Kerberos Tickets
Golden Ticket
Unsecured Credentials
Credentials In Files
Shell History
Modify Authentication Process
Password Filter DLL
Pluggable Authentication Modules
Steal Application Access Token
Forced Authentication
Credentials from Password Stores
Credentials from Web Browsers
Steal Web Session Cookie
Multi-Factor Authentication Request Generation
Keychain
Input Capture
Keylogging
Forge Web Credentials
Web Cookies
Steal or Forge Authentication Certificates
Defense Evasion
System Binary Proxy Execution
Mavinject
Control Panel
Compiled HTML File
Mshta
Rundll32
CMSTP
Abuse Elevation Control Mechanism
Bypass User Account Control
Elevated Execution with Prompt
Sudo and Sudo Caching
Indicator Removal
Clear Linux or Mac System Logs
Network Share Connection Removal
File Deletion
Masquerading
Space after Filename
Invalid Code Signature
Rename Legitimate Utilities
Match Legitimate Resource Name or Location
Access Token Manipulation
Token Impersonation/Theft
Parent PID Spoofing
Create Process with Token
Make and Impersonate Token
Process Injection
VDSO Hijacking
Ptrace System Calls
Thread Execution Hijacking
Portable Executable Injection
Asynchronous Procedure Call
Process Doppelgänging
Proc Memory
Dynamic-link Library Injection
Thread Local Storage
Obfuscated Files or Information
Compile After Delivery
Software Packing
Binary Padding
Use Alternate Authentication Material
Application Access Token
Web Session Cookie
Hide Artifacts
Run Virtual Instance
Hidden Window
VBA Stomping
Hidden Users
Trusted Developer Utilities Proxy Execution
MSBuild
Hijack Execution Flow
DLL Side-Loading
Dylib Hijacking
COR_PROFILER
Path Interception by Unquoted Path
DLL
Path Interception by PATH Environment Variable
Dynamic Linker Hijacking
Path Interception by Search Order Hijacking
Deobfuscate/Decode Files or Information
Modify Authentication Process
Password Filter DLL
Pluggable Authentication Modules
Rootkit
Impair Defenses
Impair Command History Logging
Disable or Modify Tools
XSL Script Processing
Virtualization/Sandbox Evasion
Time Based Checks
Exfiltration
Exfiltration Over C2 Channel
Exfiltration Over Physical Medium
Exfiltration over USB
Exfiltration Over Alternative Protocol
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
References
All
Guideline
The following references were used to develop the
Access Mediation
knowledge-base
article.
(Note: the consideration of references does not imply specific functionality exists in an
offering.)
Committee on National Security Systems (CNSS) Glossary
Reference Type:
Guideline
Organization:
Committee on National Security Systems (CNSS)
Source:
D3FEND
A knowledge
graph
of cybersecurity countermeasures
1.4.0
Model
Model
Asset Inventory
Asset Vulnerability Enumeration
Container Image Analysis
Configuration Inventory
Data Inventory
Hardware Component Inventory
Network Node Inventory
Software Inventory
Network Mapping
Logical Link Mapping
Active Logical Link Mapping
Passive Logical Link Mapping
Network Traffic Policy Mapping
Network Vulnerability Assessment
Physical Link Mapping
Active Physical Link Mapping
Direct Physical Link Mapping
Operational Activity Mapping
Access Modeling
Operational Dependency Mapping
Operational Risk Assessment
Organization Mapping
System Mapping
Data Exchange Mapping
Service Dependency Mapping
System Dependency Mapping
System Vulnerability Assessment
Harden
Harden
Agent Authentication
Biometric Authentication
Certificate-based Authentication
Multi-factor Authentication
Password Authentication
Token-based Authentication
Application Hardening
Application Configuration Hardening
Disable Remote Access
Control Flow Integrity
Dead Code Elimination
Exception Handler Pointer Validation
Pointer Authentication
Process Segment Execution Prevention
Segment Address Offset Randomization
Stack Frame Canary Validation
Credential Hardening
Certificate Pinning
Credential Rotation
Certificate Rotation
Password Rotation
One-time Password
Strong Password Policy
Change Default Password
Token Binding
Message Hardening
Message Authentication
Bus Message Authentication
Message Encryption
Transfer Agent Authentication
Platform Hardening
Bootloader Authentication
Disk Encryption
Driver Load Integrity Checking
File Encryption
Hardware-based Write Protection
Physical Enclosure Hardening
Radiation Hardening
Electromagnetic Radiation Hardening
RF Shielding
Particle Radiation Hardening
Software Update
System Configuration Permissions
TPM Boot Integrity
Source Code Hardening
Credential Scrubbing
Domain Logic Validation
Operational Logic Validation
Integer Range Validation
Pointer Validation
Memory Block Start Validation
Null Pointer Checking
Reference Nullification
Trusted Library
Variable Initialization
Variable Type Validation
Detect
Detect
File Analysis
Dynamic Analysis
Emulated File Analysis
File Content Analysis
File Content Rules
File Hashing
Identifier Analysis
Homoglyph Detection
Identifier Activity Analysis
Identifier Reputation Analysis
Domain Name Reputation Analysis
File Hash Reputation Analysis
IP Reputation Analysis
URL Reputation Analysis
URL Analysis
Message Analysis
Sender MTA Reputation Analysis
Sender Reputation Analysis
Network Traffic Analysis
Administrative Network Activity Analysis
Application Protocol Command Analysis
Remote Firmware Update Monitoring
Byte Sequence Emulation
Certificate Analysis
Active Certificate Analysis
Passive Certificate Analysis
Client-server Payload Profiling
Connection Attempt Analysis
DNS Traffic Analysis
File Carving
Inbound Session Volume Analysis
IPC Traffic Analysis
Network Traffic Community Deviation
Network Traffic Signature Analysis
Per Host Download-Upload Ratio Analysis
Protocol Metadata Anomaly Detection
Relay Pattern Analysis
Remote Terminal Session Detection
RPC Traffic Analysis
Physical Access Monitoring
Electronic Lock Monitoring
Motion Sensor Monitoring
Proximity Sensor Monitoring
Video Surveillance
Platform Monitoring
Application Performance Monitoring
Application Exception Monitoring
File Integrity Monitoring
Firmware Behavior Analysis
Firmware Embedded Monitoring Code
Firmware Verification
Peripheral Firmware Verification
System Firmware Verification
Operating Mode Monitoring
Operating System Monitoring
Endpoint Health Beacon
Input Device Analysis
Memory Boundary Tracking
Scheduled Job Analysis
System Daemon Monitoring
System File Analysis
Service Binary Verification
System Init Config Analysis
User Session Init Config Analysis
Operational Process Monitoring
Platform Uptime Monitoring
Process Analysis
Database Query String Analysis
File Access Pattern Analysis
Indirect Branch Call Analysis
Process Code Segment Verification
Process Self-Modification Detection
Process Spawn Analysis
Process Lineage Analysis
Script Execution Analysis
Shadow Stack Comparisons
System Call Analysis
File Creation Analysis
User Behavior Analysis
Authentication Event Thresholding
Authorization Event Thresholding
Credential Compromise Scope Analysis
Domain Account Monitoring
Job Function Access Pattern Analysis
Local Account Monitoring
Resource Access Pattern Analysis
Session Duration Analysis
User Data Transfer Analysis
User Geolocation Logon Pattern Analysis
Web Session Activity Analysis
Isolate
Isolate
Access Mediation
Credential Transmission Scoping
IO Port Restriction
Network Access Mediation
LAN Access Mediation
Routing Access Mediation
Network Resource Access Mediation
Remote File Access Mediation
Web Session Access Mediation
Endpoint-based Web Server Access Mediation
Proxy-based Web Server Access Mediation
Operating Mode Restriction
OT Variable Access Restriction
Physical Access Mediation
Physical Locking
System Call Filtering
Local File Access Mediation
Access Policy Administration
Domain Trust Policy
Local File Permissions
User Account Permissions
User Group Permissions
Content Filtering
Content Modification
Content Excision
Content Format Conversion
Content Rebuild
Content Substitution
Content Quarantine
Content Validation
File Format Verification
File Content Decompression Checking
File Internal Structure Verification
File Metadata Consistency Validation
File Metadata Value Verification
File Magic Byte Verification
Execution Isolation
Application-based Process Isolation
Executable Allowlisting
Executable Denylisting
Hardware-based Process Isolation
Kernel-based Process Isolation
Network Isolation
Broadcast Domain Isolation
Directional Network Link
DNS Allowlisting
DNS Denylisting
Forward Resolution Domain Denylisting
Hierarchical Domain Denylisting
Homoglyph Denylisting
Forward Resolution IP Denylisting
Reverse Resolution IP Denylisting
Encrypted Tunnels
Network Traffic Filtering
Inbound Traffic Filtering
Email Filtering
Outbound Traffic Filtering
Deceive
Deceive
Decoy Environment
Connected Honeynet
Integrated Honeynet
Standalone Honeynet
Decoy Object
Decoy File
Decoy Network Resource
Decoy Persona
Decoy Public Release
Decoy Session Token
Decoy User Credential
Evict
Evict
Credential Eviction
Account Locking
Authentication Cache Invalidation
Credential Revocation
Object Eviction
Disk Formatting
Disk Erasure
Disk Partitioning
DNS Cache Eviction
Domain Registration Takedown
File Eviction
Email Removal
Registry Key Deletion
Process Eviction
Host Shutdown
Host Reboot
Process Suspension
Process Termination
Session Termination
Restore
Restore
Restore Access
Reissue Credential
Restore Network Access
Restore User Account Access
Unlock Account
Restore Object
Restore Configuration
Restore Database
Restore Disk Image
Restore File
Restore Email
Restore Software