Исследование доверительных отношений между доменами
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
Примеры процедур |
|
Название | Описание |
---|---|
Empire |
Empire has modules for enumerating domain trusts.(Citation: Github PowerShell Empire) |
Bazar |
Bazar can use Nltest tools to obtain information about the domain.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
AdFind |
AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: Symantec Bumblebee June 2022) |
Chimera |
Chimera has |
APT29 |
APT29 used the |
Nltest |
Nltest may be used to enumerate trusted domains by using commands such as |
UNC2452 |
UNC2452 used the |
QakBot |
QakBot can run |
Earth Lusca |
Earth Lusca has used Nltest to obtain information about domain controllers.(Citation: TrendMicro EarthLusca 2022) |
BloodHound |
BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.(Citation: CrowdStrike BloodHound April 2018) |
PoshC2 |
PoshC2 has modules for enumerating domain trusts.(Citation: GitHub PoshC2) |
dsquery |
dsquery can be used to gather information on domain trusts with |
Wizard Spider |
Wizard Spider has used |
PowerSploit |
PowerSploit has modules such as |
TrickBot |
TrickBot can gather information about domain trusts by utilizing Nltest.(Citation: Fortinet TrickBot)(Citation: Cyberreason Anchor December 2019) |
FIN8 |
FIN8 has retrieved a list of trusted domains by using |
During C0015, the threat actors used the command `nltest /domain_trusts /all_trusts` to enumerate domain trusts.(Citation: DFIR Conti Bazar Nov 2021) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
Domain Trust Discovery Mitigation |
Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts) |
Обнаружение
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as `nltest /domain_trusts`. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the `DSEnumerateDomainTrusts()` Win32 API call to spot activity associated with Domain Trust Discovery.(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as PowerShell. The .NET method `GetAllTrustRelationships()` can be an indicator of Domain Trust Discovery.(Citation: Microsoft GetAllTrustRelationships)
Ссылки
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.
- Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.
- Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019.
- Metcalf, S. (2015, July 15). It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019.
- Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
- ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
Связанные риски
Риск | Связи | |
---|---|---|
Раскрытие информации об ИТ инфраструктуре из-за
возможности обнаружения или добавления доверительных отношений между доменами в доменных службах Active Directory
Конфиденциальность
Раскрытие информации
|
|
|
Повышение привилегий в ОС из-за
возможности обнаружения или добавления доверительных отношений между доменами microsoft Azure
Повышение привилегий
Целостность
|
|
|
Повышение привилегий в ОС из-за
возможности обнаружения или добавления доверительных отношений между доменами в доменных службах Active Directory
Повышение привилегий
Целостность
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.