Skip to content

T1078.002 Domain Accounts

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.1 Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.3

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.

Item Value
ID T1078.002
Sub-techniques T1078.001, T1078.002, T1078.003, T1078.004
Tactics TA0005, TA0003, TA0004, TA0001
CAPEC ID CAPEC-560
Platforms Linux, Windows, macOS
Permissions required Administrator, User
Version 1.2
Created 13 March 2020
Last Modified 19 April 2022

Procedure Examples

ID Name Description
G0016 APT29 APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.181920
G0022 APT3 APT3 leverages valid accounts after gaining credentials for use within the victim domain.16
G0114 Chimera Chimera has used compromised domain accounts to gain access to the target environment.21
S0154 Cobalt Strike Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.789
G0119 Indrik Spider Indrik Spider has collected credentials from infected systems, including domain accounts.13
G0019 Naikon Naikon has used administrator credentials for lateral movement in compromised networks.15
G0116 Operation Wocao Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation.12
S0446 Ryuk Ryuk can use stolen domain admin accounts to move laterally within a victim domain.6
G0034 Sandworm Team Sandworm Team has used stolen credentials to access administrative accounts within the domain.14
S0140 Shamoon If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.1011
S0603 Stuxnet Stuxnet attempts to access network resources with a domain account’s credentials.5
G0092 TA505 TA505 has used stolen domain admin accounts to compromise additional hosts.17
G0028 Threat Group-1314 Threat Group-1314 actors used compromised domain credentials for the victim’s endpoint management platform, Altiris, to move laterally.22
G0102 Wizard Spider Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.23

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
M1026 Privileged Account Management Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.
M1017 User Training Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.

Detection

ID Data Source Data Component
DS0028 Logon Session Logon Session Creation
DS0002 User Account User Account Authentication

References

  1. Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. 

  2. Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. 

  3. Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020. 

  4. Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021. 

  5. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. 

  6. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021. 

  7. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  8. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019. 

  9. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  10. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. 

  11. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. 

  12. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

  13. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  14. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  15. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  16. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  17. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. 

  18. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  19. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. 

  20. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  21. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  22. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. 

  23. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

Back to top