Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts()
Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.IR-01.01 | Network segmentation | Mitigates | T1482 | Domain Trust Discovery |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation for sensitive domains can help prevent adversary exploitation of domain trust relationships.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CM-06 | Configuration Settings | mitigates | T1482 | Domain Trust Discovery | |
SA-17 | Developer Security and Privacy Architecture and Design | mitigates | T1482 | Domain Trust Discovery | |
RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1482 | Domain Trust Discovery | |
SC-46 | Cross Domain Policy Enforcement | mitigates | T1482 | Domain Trust Discovery | |
CM-02 | Baseline Configuration | mitigates | T1482 | Domain Trust Discovery | |
SA-08 | Security and Privacy Engineering Principles | mitigates | T1482 | Domain Trust Discovery | |
CM-07 | Least Functionality | mitigates | T1482 | Domain Trust Discovery | |
AC-04 | Information Flow Enforcement | mitigates | T1482 | Domain Trust Discovery | |
SC-07 | Boundary Protection | mitigates | T1482 | Domain Trust Discovery |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CVE-2023-22952 | Multiple SugarCRM Products Remote Code Execution Vulnerability | secondary_impact | T1482 | Domain Trust Discovery |
Comments
This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated attacker via a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
This vulnerability has been exploited by threat actors to gain initial access to AWS accounts by injecting custom PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations to expand their access, obtaining long-term AWS access keys from compromised EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations and Cost and Usage services. The attackers moved laterally by creating RDS snapshots and new EC2 instances, modifying security groups, and attempting to escalate privileges by logging in as the Root user. They also employed defense evasion techniques, including deploying resources in non-standard regions and intermittently stopping EC2 instances to avoid detection and minimize costs.
The exploit in question is actively being used to compromise hosts by installing a PHP-based web shell. It involves an authentication bypass against the "/index.php" endpoint of the targeted service. Once bypassed, the attacker obtains a cookie and sends a secondary POST request to "/cache/images/sweet.phar" to upload a small PNG-encoded file containing PHP code. This file acts as a web shell, allowing the execution of commands specified in the base64-encoded query argument "c". For example, a request like 'POST /cache/images/sweet.phar?c="L2Jpbi9pZA=="' would execute the command "/bin/id" with the same permissions as the web service's user.
References
|
CVE-2022-41082 | Microsoft Exchange Server Remote Code Execution Vulnerability | secondary_impact | T1482 | Domain Trust Discovery |
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Scan network | Enumerating the state of the network | related-to | T1482 | Domain Trust Discovery |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1482 | Domain Trust Discovery |
Comments
VPC security groups and network access control lists (NACLs) can be used to isolate sensitive domains to limit discovery.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1482 | Domain Trust Discovery |
Comments
This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
References
|