Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Valid Accounts:  Доменные учетные записи

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

ID: T1078.002
Относится к технике:  T1078
Тактика(-и): Defense Evasion, Initial Access, Persistence, Privilege Escalation
Платформы: Linux, macOS, Windows
Требуемые разрешения: Administrator, User
Источники данных: Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Версия: 1.4
Дата создания: 13 Mar 2020
Последнее изменение: 14 Aug 2023

Примеры процедур

Название Описание
CreepySnail

CreepySnail can use stolen credentials to authenticate on target networks.(Citation: Microsoft POLONIUM June 2022)

During Night Dragon, threat actors used domain accounts to gain further access to victim systems.(Citation: McAfee Night Dragon)

For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.(Citation: ESET Dukes October 2019)

Cobalt Strike

Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)

Naikon

Naikon has used administrator credentials for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)

During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.(Citation: Cybereason OperationCuckooBees May 2022)

Agrius

Agrius attempted to acquire valid credentials for victim environments through various means to enable follow-on lateral movement.(Citation: Unit42 Agrius 2023)

Wizard Spider

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Sandworm Team

Sandworm Team has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022)

During the SolarWinds Compromise, APT29 used domain administrators' accounts to help facilitate lateral movement on compromised networks.(Citation: CrowdStrike StellarParticle January 2022)

APT29

APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: CrowdStrike StellarParticle January 2022)

Ryuk

Ryuk can use stolen domain admin accounts to move laterally within a victim domain.(Citation: ANSSI RYUK RANSOMWARE)

Shamoon

If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.(Citation: FireEye Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)

Cinnamon Tempest

Cinnamon Tempest has obtained highly privileged credentials such as domain administrator in order to deploy malware.(Citation: Microsoft Ransomware as a Service)

ToddyCat

ToddyCat has used compromised domain admin credentials to mount local network shares.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Indrik Spider

Indrik Spider has collected credentials from infected systems, including domain accounts.(Citation: Crowdstrike Indrik November 2018)

APT3

APT3 leverages valid accounts after gaining credentials for use within the victim domain.(Citation: Symantec Buckeye)

Chimera

Chimera has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021)

During Operation Wocao, threat actors used domain credentials, including domain admin, for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)

Cobalt Strike

Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017)

Operation Wocao

Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)

Play

Play has used valid domain accounts for access.(Citation: Trend Micro Ransomware Spotlight Play July 2023)

TA505

TA505 has used stolen domain admin accounts to compromise additional hosts.(Citation: IBM TA505 April 2020)

Threat Group-1314

Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.(Citation: Dell TG-1314)

APT5

APT5 has used legitimate account credentials to move laterally through compromised environments.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Magic Hound

Magic Hound has used domain administrator accounts after dumping LSASS process memory.(Citation: DFIR Phosphorus November 2021)

During Cutting Edge, threat actors used compromised VPN accounts for lateral movement on targeted networks.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)

Stuxnet

Stuxnet attempts to access network resources with a domain account’s credentials.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

Volt Typhoon

Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

Aquatic Panda

Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.(Citation: Crowdstrike HuntReport 2022)

Контрмеры

Контрмера Описание
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Password Policies

Set and enforce secure password policies for accounts.

Обнаружение

Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). On Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.

Ссылки

  1. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  2. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  3. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  4. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  5. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  6. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  7. Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021.
  8. Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.
  9. Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.
  10. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  11. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  12. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  13. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  14. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  15. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  16. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  17. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  18. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  19. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  20. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  21. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.
  22. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  23. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  24. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  25. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  26. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  27. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  28. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  29. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  30. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  31. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  32. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  33. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  34. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  35. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  36. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  37. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  38. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  39. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  40. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.