Account Discovery: Domain Account
Other sub-techniques of Account Discovery (4)
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups.
Procedure Examples |
|
Name | Description |
---|---|
SoreFang |
SoreFang can enumerate domain accounts via |
Net |
Net commands used with the |
Bazar |
Bazar has the ability to identify domain administrator accounts.(Citation: NCC Group Team9 June 2020)(Citation: DFIR Ryuk's Return October 2020) |
FIN6 |
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016) |
CrackMapExec |
CrackMapExec can enumerate the domain user accounts on a targeted system.(Citation: CME Github September 2018) |
Ke3chang |
Ke3chang performs account discovery using commands such as |
Sykipot |
Sykipot may use |
BoomBox |
BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.(Citation: MSTIC Nobelium Toolset May 2021) |
Lazarus Group |
Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts.(Citation: ESET Lazarus Jun 2020) |
MuddyWater |
MuddyWater has used |
dsquery |
dsquery can be used to gather information on user accounts within a domain.(Citation: TechNet Dsquery) |
BloodHound |
BloodHound can collect information about domain users, including identification of domain admin accounts.(Citation: CrowdStrike BloodHound April 2018) |
LAPSUS$ |
LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022) |
Chimera |
Chimera has has used |
Empire |
Empire can acquire local and domain user account information.(Citation: Github PowerShell Empire)(Citation: SecureWorks August 2019) |
menuPass |
menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
OilRig |
OilRig has run |
PoshC2 |
PoshC2 can enumerate local and domain user account information.(Citation: GitHub PoshC2) |
POWRUNER |
POWRUNER may collect user account information by running |
Turla |
Turla has used |
During Operation CuckooBees, the threat actors used the `dsquery` and `dsget` commands to get domain environment information and to query users in administrative groups.(Citation: Cybereason OperationCuckooBees May 2022) |
|
SILENTTRINITY |
SILENTTRINITY can use `System.Security.AccessControl` namespaces to retrieve domain user information.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Wizard Spider |
Wizard Spider has identified domain admins through the use of “net group ‘Domain admins’” commands.(Citation: DFIR Ryuk's Return October 2020) |
Fox Kitten |
Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
Stuxnet |
Stuxnet enumerates user accounts of the domain.(Citation: Symantec W.32 Stuxnet Dossier) |
During Operation Wocao, threat actors used the `net` command to retrieve information about domain accounts.(Citation: FoxIT Wocao December 2019) |
|
Cobalt Strike |
Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.(Citation: Cyberreason Anchor December 2019) |
IcedID |
IcedID can query LDAP to identify additional users on the network to infect.(Citation: IBM IcedID November 2017) |
Poseidon Group |
Poseidon Group searches for administrator accounts on both the local victim machine and the network.(Citation: Kaspersky Poseidon Group) |
OSInfo |
OSInfo enumerates local and domain users(Citation: Symantec Buckeye) |
Bankshot |
Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot) |
Dragonfly 2.0 |
Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A) |
Operation Wocao |
Operation Wocao has used the |
Cobalt Strike |
Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.(Citation: Cyberreason Anchor December 2019) |
Valak |
Valak has the ability to enumerate domain admin accounts.(Citation: Cybereason Valak May 2020) |
IceApple |
The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server.(Citation: CrowdStrike IceApple May 2022) |
Sandworm Team |
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.(Citation: ESET Telebots Dec 2016) |
BRONZE BUTLER |
BRONZE BUTLER has used |
Dragonfly |
Dragonfly has used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A) |
AdFind |
AdFind can enumerate domain users.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Cybereason Bumblebee August 2022)(Citation: Symantec Bumblebee June 2022) |
APT29 |
APT29 has used PowerShell to discover domain accounts by executing |
Mitigations |
|
Mitigation | Description |
---|---|
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
References
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.
- Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
- UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.
- Microsoft. (2017, February 14). Net Commands On Windows Operating Systems. Retrieved March 19, 2020.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
- Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.