Permission Groups Discovery: Доменные группы
Other sub-techniques of Permission Groups Discovery (3)
ID | Название |
---|---|
.001 | Локальные группы |
.002 | Доменные группы |
.003 | Облачные группы |
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain-level groups.
Примеры процедур |
|
Название | Описание |
---|---|
Kwampirs |
Kwampirs collects a list of domain groups with the command |
LAPSUS$ |
LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022) |
Net |
Commands such as |
BloodHound |
BloodHound can collect information about domain groups and members.(Citation: CrowdStrike BloodHound April 2018) |
SILENTTRINITY |
SILENTTRINITY can use `System.DirectoryServices` namespace to retrieve domain group information.(Citation: GitHub SILENTTRINITY Modules July 2019) |
During the SolarWinds Compromise, APT29 used AdFind to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022) |
|
APT29 |
APT29 has used AdFind to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022) |
Gootloader |
Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable.(Citation: SentinelOne Gootloader June 2021) |
ToddyCat |
ToddyCat has executed `net group "domain admins" /dom` for discovery on compromised machines.(Citation: Kaspersky ToddyCat Check Logs October 2023) |
GRIFFON |
GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.(Citation: SecureList Griffon May 2019) |
Volt Typhoon |
Volt Typhoon has run `net group` in compromised environments to discover domain groups.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
OilRig |
OilRig has used |
AdFind |
AdFind can enumerate domain groups.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Symantec Bumblebee June 2022) |
Cobalt Strike |
Cobalt Strike can identify targets by querying account groups on a domain contoller.(Citation: Cobalt Strike Manual 4.3 November 2020) |
FIN7 |
FIN7 has used the command `net group "domain admins" /domain` to enumerate domain groups.(Citation: Mandiant FIN7 Apr 2022) |
POWRUNER |
POWRUNER may collect domain group information by running |
During C0015, the threat actors use the command `net group "domain admins" /dom` to enumerate domain groups.(Citation: DFIR Conti Bazar Nov 2021) |
|
BlackCat |
BlackCat can determine if a user on a compromised host has domain admin privileges.(Citation: Microsoft BlackCat Jun 2022) |
Wizard Spider |
Wizard Spider has used |
Brute Ratel C4 |
Brute Ratel C4 can use `net group` for discovery on targeted domains.(Citation: Trend Micro Black Basta October 2022) |
SoreFang |
SoreFang can enumerate domain groups by executing |
FIN6 |
FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts.(Citation: FireEye FIN6 Apr 2019) |
OSInfo |
OSInfo specifically looks for Domain Admins and power users within the domain.(Citation: Symantec Buckeye) |
WellMess |
WellMess can identify domain group membership for the current user.(Citation: CISA WellMess July 2020) |
Egregor |
Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.(Citation: Intrinsec Egregor Nov 2020) |
INC Ransom |
INC Ransom has enumerated domain groups on targeted hosts.(Citation: Huntress INC Ransom Group August 2023) |
BADHATCH |
BADHATCH can use `net.exe group "domain admins" /domain` to identify Domain Administrators.(Citation: BitDefender BADHATCH Mar 2021) |
Ke3chang |
Ke3chang performs discovery of permission groups |
Turla |
Turla has used |
Inception |
Inception has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018) |
Dragonfly |
Dragonfly has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A) |
Helminth |
Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands |
Latrodectus |
Latrodectus can identify domain groups through `cmd.exe /c net group "Domain Admins" /domain`.(Citation: Bitsight Latrodectus June 2024)(Citation: Elastic Latrodectus May 2024) |
CrackMapExec |
CrackMapExec can gather the user accounts within domain groups.(Citation: CME Github September 2018) |
REvil |
REvil can identify the domain membership of a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Secureworks REvil September 2019) |
Dragonfly 2.0 |
Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A) |
dsquery |
dsquery can be used to gather information on permission groups within a domain.(Citation: TechNet Dsquery)(Citation: Mandiant APT41) |
Обнаружение
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Ссылки
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
- Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
- Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
- Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
- Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
- Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
- Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
- Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
- Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
- Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.