Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Доменные группы
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Доменные группы
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Permission Groups Discovery:  Доменные группы

ID Название
.001 Локальные группы
.002 Доменные группы
.003 Облачные группы

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

ID: T1069.002
Относится к технике:  T1069
Тактика(-и): Discovery
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, Group: Group Enumeration, Process: OS API Execution, Process: Process Creation
Версия: 1.1
Дата создания: 21 Feb 2020
Последнее изменение: 21 Oct 2022

Примеры процедур
Название Описание
Kwampirs

Kwampirs collects a list of domain groups with the command net localgroup /domain.(Citation: Symantec Orangeworm April 2018)
LAPSUS$

LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022)
Net

Commands such as net group /domain can be used in Net to gather information about and manipulate groups.(Citation: Savill 1999)
BloodHound

BloodHound can collect information about domain groups and members.(Citation: CrowdStrike BloodHound April 2018)
SILENTTRINITY

SILENTTRINITY can use `System.DirectoryServices` namespace to retrieve domain group information.(Citation: GitHub SILENTTRINITY Modules July 2019)
APT29

APT29 has used AdFind to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022)
GRIFFON

GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.(Citation: SecureList Griffon May 2019)
OilRig

OilRig has used net group /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.(Citation: Palo Alto OilRig May 2016)
AdFind

AdFind can enumerate domain groups.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Symantec Bumblebee June 2022)
Cobalt Strike

Cobalt Strike can identify targets by querying account groups on a domain contoller.(Citation: Cobalt Strike Manual 4.3 November 2020)
POWRUNER

POWRUNER may collect domain group information by running net group /domain or a series of other commands on a victim.(Citation: FireEye APT34 Dec 2017)

During C0015, the threat actors use the command `net group "domain admins" /dom` to enumerate domain groups.(Citation: DFIR Conti Bazar Nov 2021)
Wizard Spider

Wizard Spider has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)
SoreFang

SoreFang can enumerate domain groups by executing net.exe group /domain.(Citation: CISA SoreFang July 2016)
FIN6

FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts.(Citation: FireEye FIN6 Apr 2019)

OSInfo

OSInfo specifically looks for Domain Admins and power users within the domain.(Citation: Symantec Buckeye)

WellMess

WellMess can identify domain group membership for the current user.(Citation: CISA WellMess July 2020)
Egregor

Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.(Citation: Intrinsec Egregor Nov 2020)
Ke3chang

Ke3chang performs discovery of permission groups net group /domain.(Citation: Mandiant Operation Ke3chang November 2014)
Turla

Turla has used net group "Domain Admins" /domain to identify domain administrators.(Citation: ESET ComRAT May 2020)
Inception

Inception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)
Dragonfly

Dragonfly has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)
Helminth

Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.(Citation: Unit 42 Playbook Dec 2017)
CrackMapExec

CrackMapExec can gather the user accounts within domain groups.(Citation: CME Github September 2018)
REvil

REvil can identify the domain membership of a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Secureworks REvil September 2019)
Dragonfly 2.0

Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)
dsquery

dsquery can be used to gather information on permission groups within a domain.(Citation: TechNet Dsquery)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Ссылки

  1. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  2. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  3. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  4. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  5. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  6. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  7. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  8. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  9. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  10. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  11. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  12. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  13. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  14. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  15. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  16. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
  17. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  18. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  19. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  20. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  21. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  22. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  23. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  24. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  25. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  26. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  27. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  28. Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
  29. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  30. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  31. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.