Technique on mitre.org

T1069.002: Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_discovery: PT-CR-1789: Unix_MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected mitre_attck_discovery: PT-CR-325: Permission_Groups_Discovery: An attempt to retrieve a list of user group permissions is detected mitre_attck_discovery: PT-CR-1083: Ldapdomaindump_Queries: Active Directory information is dumped using ldapdomaindump freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain freeipa: PT-CR-2146: FreeIPA_Recon_Commands: Commands typically used for reconnaissance were executed in the FreeIPA domain active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. active_directory_attacks: PT-CR-832: DACL_Resolver_Aced: The Discretionary Access Control List (DACL) of Active Directory objects was dumped using the Aced utility. Attackers use Aced to create reverse privilege escalation attack paths (starting from the targeted goal). active_directory_attacks: PT-CR-827: Active_Directory_Snapshot: Creating a snapshot of the Active Directory structure. This may indicate that intelligence is being conducted in the Active Directory structure. An attacker can use the data obtained to form an attack vector and increase privileges active_directory_attacks: PT-CR-2550: LDAP_Discovery: A user executed a suspicious LDAP request that may indicate reconnaissance in the domain mitre_attck_cred_access: PT-CR-299: LAPS_Enumeration: Search for users, groups, and computers with access to Microsoft LAPS (Local Administrator Password Solution). LAPS automatically manages the local administrator account password and backs up this password on devices connected to Active Directory services. hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-841: SilentHound_AD_Enumeration: Credentials from Active Directory are acquired via enumeration using SilentHound hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-1790: MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to winreg (2) and wkssvc (1) named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) LoggedOn information collection method hacking_tools: PT-CR-2017: SharpHound_LDAP_Requests: Detecting the launch of the SharpHound (BloodHound) tool using one of the methods - ObjectProps, ACL, Trusts, Container.ObjectProps - performs Object Properties collection for properties such as LastLogon or PwdLastSet; ACL - collects abusable permissions on objects in Active Directory; Trusts - collects domain trusts; Container - collects OU tree structure and Group Policy links hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.

Detection

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls associated with finding domain-level groups and permission settings, such as `NetGroupEnum`. Other API calls relevant to Domain Group discovery include `NetQueryDisplayInformation` and `NetGetDisplayInformationIndex`. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor newly executed processes that may attempt to find domain-level groups and permission settings. For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as `ldapsearch`. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as `dscacheutil -q group`. Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Local Permission Group Discovery - Net `(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= "net.exe" OR Image= "net1.exe") AND CommandLine="group/domain")`

ID	DS0036	Data source and component	Group: Group Enumeration	Description	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.

ID	Data source and component	Description
DS0009	Process: OS API Execution	Monitor for API calls associated with finding domain-level groups and permission settings, such as `NetGroupEnum`. Other API calls relevant to Domain Group discovery include `NetQueryDisplayInformation` and `NetGetDisplayInformationIndex`. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.
DS0009	Process: Process Creation	Monitor newly executed processes that may attempt to find domain-level groups and permission settings. For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as `ldapsearch`. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as `dscacheutil -q group`. Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Local Permission Group Discovery - Net `(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= "net.exe" OR Image= "net1.exe") AND CommandLine="group/domain")`
DS0036	Group: Group Enumeration	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
DS0017	Command: Command Execution	Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.