Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Additional Local or Domain Groups
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Additional Local or Domain Gro...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Account Manipulation:  Additional Local or Domain Groups

ID Название
.001 Дополнительные облачные учетные данные
.002 Выдача доп. прав учетной записи эл. почты Exchange
.003 Добавление роли глобального администратора Office 365
.004 Изменение авторизованных SSH-ключей
.005 Регистрация устройства
.006 Additional Container Cluster Roles
.007 Additional Local or Domain Groups

An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain. On Windows, accounts may use the `net localgroup` and `net group` commands to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup)(Citation: Microsoft Net Group) On Linux, adversaries may use the `usermod` command for the same purpose.(Citation: Linux Usermod) For example, accounts may be added to the local administrators group on Windows devices to maintain elevated privileges. They may also be added to the Remote Desktop Users group, which allows them to leverage Remote Desktop Protocol to log into the endpoints in the future.(Citation: Microsoft RDP Logons) On Linux, accounts may be added to the sudoers group, allowing them to persistently leverage Sudo and Sudo Caching for elevated privileges. In Windows environments, machine accounts may also be added to domain groups. This allows the local SYSTEM account to gain privileges on the domain.(Citation: RootDSE AD Detection 2022)

ID: T1098.007
Относится к технике:  T1098
Тактика(-и): Persistence, Privilege Escalation
Платформы: Linux, macOS, Windows
Источники данных: User Account: User Account Modification
Дата создания: 05 Aug 2024
Последнее изменение: 14 Oct 2024

Примеры процедур
Название Описание
SMOKEDHAM

SMOKEDHAM has added user accounts to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021)
APT41

APT41 has added user accounts to the User and Admin groups.(Citation: FireEye APT41 Aug 2019)

APT3

APT3 has been known to add created accounts to local admin groups to maintain elevated access.(Citation: aptsim)
Net

The `net localgroup` and `net group` commands in Net can be used to add existing users to local and domain groups.(Citation: Microsoft Net Localgroup) (Citation: Microsoft Net Group)
Magic Hound

Magic Hound has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.(Citation: DFIR Report APT35 ProxyShell March 2022)
APT5

APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.(Citation: Mandiant Pulse Secure Update May 2021)
Dragonfly

Dragonfly has added newly created accounts to the administrators group to maintain elevated access.(Citation: US-CERT TA18-074A)
FIN13

FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.(Citation: Sygnia Elephant Beetle Jan 2022)
DarkGate

DarkGate elevates accounts created through the malware to the local administration group during execution.(Citation: Ensilo Darkgate 2018)
ServHelper

ServHelper has added a user named "supportaccount" to the Remote Desktop Users and Administrators groups.(Citation: Proofpoint TA505 Jan 2019)
Kimsuky

Kimsuky has added accounts to specific groups with net localgroup.(Citation: KISA Operation Muzabi)

Ссылки

  1. Scarred Monk. (2022, May 6). Real-time detection scenarios in Active Directory environments. Retrieved August 5, 2024.
  2. Microsoft. (2017, April 9). Allow log on through Remote Desktop Services. Retrieved August 5, 2024.
  3. Microsoft. (2016, August 31). Net Localgroup. Retrieved August 5, 2024.
  4. Microsoft. (2016, August 31). Net group. Retrieved August 5, 2024.
  5. Man7. (n.d.). Usermod. Retrieved August 5, 2024.
  6. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  7. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  8. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  9. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  10. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  11. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  12. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  13. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  14. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  15. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.