T1069.002 Domain Groups
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain-level groups.
Item | Value |
---|---|
ID | T1069.002 |
Sub-techniques | T1069.001, T1069.002, T1069.003 |
Tactics | TA0007 |
Platforms | Linux, Windows, macOS |
Version | 1.2 |
Created | 21 February 2020 |
Last Modified | 07 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0552 | AdFind | AdFind can enumerate domain groups.1423 |
S1068 | BlackCat | BlackCat can determine if a user on a compromised host has domain admin privileges.20 |
S0521 | BloodHound | BloodHound can collect information about domain groups and members.11 |
S1063 | Brute Ratel C4 | Brute Ratel C4 can use net group for discovery on targeted domains.9 |
C0015 | C0015 | During C0015, the threat actors use the command net group "domain admins" /dom to enumerate domain groups.32 |
S0154 | Cobalt Strike | Cobalt Strike can identify targets by querying account groups on a domain contoller.17 |
S0488 | CrackMapExec | CrackMapExec can gather the user accounts within domain groups.7 |
G0035 | Dragonfly | Dragonfly has used batch scripts to enumerate administrators and users in the domain.28 |
S0105 | dsquery | dsquery can be used to gather information on permission groups within a domain.56 |
S0554 | Egregor | Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.14 |
S0417 | GRIFFON | GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.18 |
S0170 | Helminth | Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain .13 |
G0100 | Inception | Inception has used specific malware modules to gather domain membership.25 |
G0004 | Ke3chang | Ke3chang performs discovery of permission groups net group /domain .26 |
S0236 | Kwampirs | Kwampirs collects a list of domain groups with the command net localgroup /domain .24 |
G1004 | LAPSUS$ | LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim’s network.30 |
S0039 | Net | Commands such as net group /domain can be used in Net to gather information about and manipulate groups.8 |
G0049 | OilRig | OilRig has used net group /domain , net group “domain admins” /domain , and net group “Exchange Trusted Subsystem” /domain to find domain group permission settings.27 |
S0165 | OSInfo | OSInfo specifically looks for Domain Admins and power users within the domain.12 |
S0184 | POWRUNER | POWRUNER may collect domain group information by running net group /domain or a series of other commands on a victim.19 |
S0496 | REvil | REvil can identify the domain membership of a compromised host.212223 |
S0692 | SILENTTRINITY | SILENTTRINITY can use System.DirectoryServices namespace to retrieve domain group information.10 |
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 used AdFind to enumerate domain groups.31 |
S0516 | SoreFang | SoreFang can enumerate domain groups by executing net.exe group /domain .16 |
G0010 | Turla | Turla has used net group “Domain Admins” /domain to identify domain administrators.29 |
S0514 | WellMess | WellMess can identify domain group membership for the current user.15 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0036 | Group | Group Enumeration |
DS0009 | Process | OS API Execution |
References
-
Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. ↩
-
Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. ↩
-
Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. ↩
-
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. ↩
-
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. ↩
-
byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. ↩
-
Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. ↩
-
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. ↩
-
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. ↩
-
Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020. ↩
-
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. ↩
-
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. ↩
-
Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021. ↩
-
CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. ↩
-
CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩
-
Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. ↩
-
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. ↩
-
Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. ↩
-
Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. ↩
-
McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. ↩
-
Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. ↩
-
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. ↩
-
Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020. ↩
-
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. ↩
-
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩
-
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. ↩