Account Discovery: Domain Account
Other sub-techniques of Account Discovery (4)
ID | Name |
---|---|
T1087.001 | Local Account |
T1087.002 | Domain Account |
T1087.003 | Email Account |
T1087.004 | Cloud Account |
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups.
Procedure Examples
Name | Description |
---|---|
AdFind | |
Bankshot |
Bankshot gathers domain and account names/information through process monitoring.[4] |
BloodHound |
BloodHound can collect information about domain users, including identification of domain admin accounts.[5] |
BRONZE BUTLER |
BRONZE BUTLER has used |
Chimera |
Chimera has has used |
Cobalt Strike |
Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.[8] |
CrackMapExec |
CrackMapExec can enumerate the domain user accounts on a targeted system.[9] |
Dragonfly 2.0 |
Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.[10] |
dsquery |
dsquery can be used to gather information on user accounts within a domain.[11] |
Empire |
Empire can acquire local and domain user account information.[12] |
FIN6 |
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[13] |
IcedID |
IcedID can query LDAP to identify additional users on the network to infect.[14] |
Ke3chang |
Ke3chang performs account discovery using commands such as |
menuPass |
menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[16] |
Net |
Net commands used with the |
OilRig |
OilRig has run |
OSInfo | |
Poseidon Group |
Poseidon Group searches for administrator accounts on both the local victim machine and the network.[20] |
PoshC2 |
PoshC2 can enumerate local and domain user account information.[21] |
POWRUNER |
POWRUNER may collect user account information by running |
Sandworm Team |
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[23] |
SoreFang |
SoreFang can enumerate domain accounts via |
Sykipot |
Sykipot may use |
Turla |
Turla has used |
Valak |
Valak has the ability to enumerate domain admin accounts.[27] |
Wizard Spider |
Wizard Spider has identified domain admins through the use of "net group ‘Domain admins’" commands.[28] |
Mitigations
Mitigation | Description |
---|---|
Operating System Configuration |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
References
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Microsoft. (2017, February 14). Net Commands On Windows Operating Systems. Retrieved March 19, 2020.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.