Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)
Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as OS Credential Dumping or password reuse, allowing access to privileged resources of the domain.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1078.002 | Domain Accounts | |
| CM-06 | Configuration Settings | mitigates | T1078.002 | Domain Accounts | |
| CM-05 | Access Restrictions for Change | mitigates | T1078.002 | Domain Accounts | |
| IA-05 | Authenticator Management | mitigates | T1078.002 | Domain Accounts | |
| IA-12 | Identity Proofing | mitigates | T1078.002 | Domain Accounts | |
| AC-20 | Use of External Systems | mitigates | T1078.002 | Domain Accounts | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1078.002 | Domain Accounts | |
| SI-04 | System Monitoring | mitigates | T1078.002 | Domain Accounts | |
| AC-02 | Account Management | mitigates | T1078.002 | Domain Accounts | |
| AC-03 | Access Enforcement | mitigates | T1078.002 | Domain Accounts | |
| AC-05 | Separation of Duties | mitigates | T1078.002 | Domain Accounts | |
| AC-06 | Least Privilege | mitigates | T1078.002 | Domain Accounts | |
| AC-07 | Unsuccessful Logon Attempts | mitigates | T1078.002 | Domain Accounts |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1078.002 | Domain Accounts |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
References
|
| cloud_identity | Cloud Identity | technique_scores | T1078.002 | Domain Accounts |
Comments
This control can be used to mitigate malicious attacks of domain accounts by implementing multi-factor authentication techniques or password policies.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_single_sign-on | AWS Single Sign-On | technique_scores | T1078.002 | Domain Accounts |
Comments
This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
References
|