Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Доменные группы
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Доменные группы
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Permission Groups Discovery:  Доменные группы

ID Название
.001 Локальные группы
.002 Доменные группы
.003 Облачные группы

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

ID: T1069.002
Относится к технике:  T1069
Тактика(-и): Discovery
Платформы: Linux, Windows, macOS
Источники данных: Command: Command Execution, Group: Group Enumeration, Process: OS API Execution, Process: Process Creation
Версия: 1.2
Дата создания: 21 Feb 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
Net

Commands such as net group /domain can be used in Net to gather information about and manipulate groups.(Citation: Savill 1999)
GRIFFON

GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.(Citation: SecureList Griffon May 2019)
BloodHound

BloodHound can collect information about domain groups and members.(Citation: CrowdStrike BloodHound April 2018)
POWRUNER

POWRUNER may collect domain group information by running net group /domain or a series of other commands on a victim.(Citation: FireEye APT34 Dec 2017)
SILENTTRINITY

SILENTTRINITY can use `System.DirectoryServices` namespace to retrieve domain group information.(Citation: GitHub SILENTTRINITY Modules July 2019)
BADHATCH

BADHATCH can use `net.exe group "domain admins" /domain` to identify Domain Administrators.(Citation: BitDefender BADHATCH Mar 2021)
dsquery

dsquery can be used to gather information on permission groups within a domain.(Citation: TechNet Dsquery)(Citation: Mandiant APT41)
Gootloader

Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.(Citation: SentinelOne Gootloader June 2021)
WellMess

WellMess can identify domain group membership for the current user.(Citation: CISA WellMess July 2020)
BlackCat

BlackCat can determine if a user on a compromised host has domain admin privileges.(Citation: Microsoft BlackCat Jun 2022)
Brute Ratel C4

Brute Ratel C4 can use `net group` for discovery on targeted domains.(Citation: Trend Micro Black Basta October 2022)
Latrodectus

Latrodectus can identify domain groups through `cmd.exe /c net group "Domain Admins" /domain`.(Citation: Bitsight Latrodectus June 2024)(Citation: Elastic Latrodectus May 2024)
Cobalt Strike

Cobalt Strike can identify targets by querying account groups on a domain contoller.(Citation: Cobalt Strike Manual 4.3 November 2020)
REvil

REvil can identify the domain membership of a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Secureworks REvil September 2019)
Kwampirs

Kwampirs collects a list of domain groups with the command net localgroup /domain.(Citation: Symantec Orangeworm April 2018)
CrackMapExec

CrackMapExec can gather the user accounts within domain groups.(Citation: CME Github September 2018)
Egregor

Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.(Citation: Intrinsec Egregor Nov 2020)
SoreFang

SoreFang can enumerate domain groups by executing net.exe group /domain.(Citation: CISA SoreFang July 2016)
Helminth

Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.(Citation: Unit 42 Playbook Dec 2017)
AdFind

AdFind can enumerate domain groups.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Symantec Bumblebee June 2022)
OSInfo

OSInfo specifically looks for Domain Admins and power users within the domain.(Citation: Symantec Buckeye)

Turla

Turla has used net group "Domain Admins" /domain to identify domain administrators.(Citation: ESET ComRAT May 2020)
APT29

APT29 has used AdFind to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022)
Dragonfly 2.0

Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)
Wizard Spider

Wizard Spider has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)
Dragonfly

Dragonfly has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)
INC Ransom

INC Ransom has enumerated domain groups on targeted hosts.(Citation: Huntress INC Ransom Group August 2023)
OilRig

OilRig has used net group /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.(Citation: Palo Alto OilRig May 2016)
Inception

Inception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)
FIN7

FIN7 has used the command `net group "domain admins" /domain` to enumerate domain groups.(Citation: Mandiant FIN7 Apr 2022)
Volt Typhoon

Volt Typhoon has run `net group` in compromised environments to discover domain groups.(Citation: Secureworks BRONZE SILHOUETTE May 2023)
ToddyCat

ToddyCat has executed `net group "domain admins" /dom` for discovery on compromised machines.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Ke3chang

Ke3chang performs discovery of permission groups net group /domain.(Citation: Mandiant Operation Ke3chang November 2014)
FIN6

FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts.(Citation: FireEye FIN6 Apr 2019)

LAPSUS$

LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Ссылки

  1. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  2. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  3. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  4. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  5. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  6. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  7. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  8. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  9. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  10. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  11. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  12. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  13. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  14. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  15. Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
  16. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  17. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  18. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  19. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  20. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  21. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
  22. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  23. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  24. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  25. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  26. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  28. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
  29. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  30. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  31. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  32. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  33. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  34. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  35. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  36. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  37. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  38. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  39. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  40. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  41. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  42. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  43. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  44. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.