Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the Net utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. PowerShell cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1087.002 | Domain Account |
Comments
Intel Threat Detection Technology (TDT), in combination with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Account or Domain Account Discovery attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
Account or Domain Account Discovery techniques involve attackers enumerating user accounts or domain accounts within an organization. By discovering valid user credentials or domain accounts, adversaries can identify targets for further attacks, including lateral movement, privilege escalation, or credential harvesting. These techniques are often used to gather critical information about account structures, access levels, and administrative rights, enabling attackers to plan their next move more effectively.
Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow at the hardware level. This telemetry helps security teams detect abnormal behaviors, such as unauthorized attempts to query or enumerate user or domain accounts, often indicating reconnaissance or preparation for lateral movement. By continuously monitoring low-level system activities, Intel TDT can quickly detect and alert on suspicious actions targeting account or domain account discovery.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2023-3519 | Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data.
References
|
| CVE-2020-1472 | Microsoft Netlogon Privilege Escalation Vulnerability | primary_impact | T1087.002 | Domain Account |
Comments
CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.
References
|
| CVE-2023-32315 | Ignite Realtime Openfire Path Traversal Vulnerability | secondary_impact | T1087.002 | Domain Account |
Comments
CVE-2023-32315 is a path traversal bug in Openfire's administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell.
References
|