Valid Accounts: Локальные учетные записи
Other sub-techniques of Valid Accounts (4)
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
Примеры процедур |
|
Название | Описание |
---|---|
APT29 |
APT29 has used compromised local accounts to access victims' networks.(Citation: CrowdStrike StellarParticle January 2022) |
Operation Wocao |
Operation Wocao has used local account credentials found during the intrusion for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019) |
Kimsuky |
Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018) |
Cobalt Strike |
Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017) |
Emotet |
Emotet can brute force a local admin password, then use it to facilitate lateral movement.(Citation: Malwarebytes Emotet Dec 2017) |
Stolen Pencil |
Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP. (Citation: Netscout Stolen Pencil Dec 2018) |
Cobalt Strike |
Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.(Citation: cobaltstrike manual)(Citation: CobaltStrike Daddy May 2017) |
PROMETHIUM |
PROMETHIUM has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020) |
FIN10 |
FIN10 has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017) |
Play |
Play has used valid local accounts to gain initial access.(Citation: Trend Micro Ransomware Spotlight Play July 2023) |
APT32 |
APT32 has used legitimate local admin account credentials.(Citation: FireEye APT32 May 2017) |
Tropic Trooper |
Tropic Trooper has used known administrator account credentials to execute the backdoor directly.(Citation: TrendMicro Tropic Trooper May 2020) |
HAFNIUM |
HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.(Citation: FireEye Exchange Zero Days March 2021) |
FIN7 |
FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.(Citation: Microsoft Ransomware as a Service) |
During the SolarWinds Compromise, APT29 used compromised local accounts to access victims' networks.(Citation: CrowdStrike StellarParticle January 2022) |
|
APT29 |
APT29 targets dormant or inactive user accounts, accounts belonging to individuals no longer at the organization but whose accounts remain on the system, for access and persistence.(Citation: NCSC et al APT29 2024) |
NotPetya |
NotPetya can use valid credentials with PsExec or |
Umbreon |
Umbreon creates valid local users to provide access to the system.(Citation: Umbreon Trend Micro) |
During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019) |
|
Turla |
Turla has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutch December 2020) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Multi-factor Authentication |
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
Password Policies |
Set and enforce secure password policies for accounts. |
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.
Ссылки
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
- Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Microsoft. (2016, April 16). Implementing Least-Privilege Administrative Models. Retrieved June 3, 2016.
- Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
- Margosis, A.. (2018, December 10). Remote Use of Local Accounts: LAPS Changes Everything. Retrieved March 13, 2020.
- Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
- US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.