ID | Name |
---|---|
T1069.001 | Local Groups |
T1069.002 | Domain Groups |
T1069.003 | Cloud Groups |
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain-level groups.
ID | Name | Description |
---|---|---|
S0552 | AdFind | |
S1081 | BADHATCH |
BADHATCH can use |
S1068 | BlackCat |
BlackCat can determine if a user on a compromised host has domain admin privileges.[6] |
S0521 | BloodHound |
BloodHound can collect information about domain groups and members.[7] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 can use |
C0015 | C0015 |
During C0015, the threat actors use the command |
S0154 | Cobalt Strike |
Cobalt Strike can identify targets by querying account groups on a domain contoller.[10] |
S0488 | CrackMapExec |
CrackMapExec can gather the user accounts within domain groups.[11] |
G0035 | Dragonfly |
Dragonfly has used batch scripts to enumerate administrators and users in the domain.[12] |
S0105 | dsquery |
dsquery can be used to gather information on permission groups within a domain.[13][14] |
S0554 | Egregor |
Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.[15] |
G0046 | FIN7 |
FIN7 has used the command |
S0417 | GRIFFON |
GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.[17] |
S0170 | Helminth |
Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands |
G0100 | Inception |
Inception has used specific malware modules to gather domain membership.[19] |
G0004 | Ke3chang |
Ke3chang performs discovery of permission groups |
S0236 | Kwampirs |
Kwampirs collects a list of domain groups with the command |
G1004 | LAPSUS$ |
LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.[22] |
S0039 | Net |
Commands such as |
G0049 | OilRig |
OilRig has used |
S0165 | OSInfo |
OSInfo specifically looks for Domain Admins and power users within the domain.[25] |
S0184 | POWRUNER |
POWRUNER may collect domain group information by running |
S0496 | REvil |
REvil can identify the domain membership of a compromised host.[27][28][29] |
S0692 | SILENTTRINITY |
SILENTTRINITY can use |
C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 used AdFind to enumerate domain groups.[31] |
S0516 | SoreFang |
SoreFang can enumerate domain groups by executing |
G1022 | ToddyCat |
ToddyCat has executed |
G0010 | Turla |
Turla has used |
G1017 | Volt Typhoon |
Volt Typhoon has run |
S0514 | WellMess |
WellMess can identify domain group membership for the current user.[36] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings. |
DS0036 | Group | Group Enumeration |
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
DS0009 | Process | OS API Execution |
Monitor for API calls associated with finding domain-level groups and permission settings, such as Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
Process Creation |
Monitor newly executed processes that may attempt to find domain-level groups and permission settings. For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Local Permission Group Discovery - Net
|