Skip to content

Latest commit

 

History

History
404 lines (221 loc) · 10.6 KB

T1087.002.md

File metadata and controls

404 lines (221 loc) · 10.6 KB
Raw

T1087.002 - Domain Account

Description from ATT&CK

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.

Atomic Tests


Atomic Test #1 - Enumerate all accounts (Domain)

Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net user /domain
net group /domain


Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)

Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.

Supported Platforms: Windows

Attack Commands: Run with powershell!

net user /domain
get-localgroupmember -group Users
get-aduser -filter *


Atomic Test #3 - Enumerate logged on users via CMD (Domain)

Enumerate logged on users. Upon exeuction, logged on users will be displayed.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
computer_name Name of remote system to query String $env:COMPUTERNAME

Attack Commands: Run with command_prompt!

query user /SERVER:#{computer_name}


Atomic Test #4 - Automated AD Recon (ADRecon)

ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
adrecon_path Path of ADRecon.ps1 file Path $env:TEMP\ADRecon.ps1

Attack Commands: Run with powershell!

Invoke-Expression #{adrecon_path}

Cleanup Commands:

Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse

Dependencies: Run with powershell!

Description: ADRecon must exist on disk at specified location (#{adrecon_path})
Check Prereq Commands:
if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path}


Atomic Test #5 - Adfind -Listing password policy

Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
adfind_path Path to the AdFind executable Path PathToAtomicsFolder\T1087.002\src\AdFind.exe

Attack Commands: Run with command_prompt!

#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}


Atomic Test #6 - Adfind - Enumerate Active Directory Admins

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
adfind_path Path to the AdFind executable Path PathToAtomicsFolder\T1087.002\src\AdFind.exe

Attack Commands: Run with command_prompt!

#{adfind_path} -sc admincountdmp

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}


Atomic Test #7 - Adfind - Enumerate Active Directory User Objects

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
adfind_path Path to the AdFind executable Path PathToAtomicsFolder\T1087.002\src\AdFind.exe

Attack Commands: Run with command_prompt!

#{adfind_path} -f (objectcategory=person)

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}


Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
adfind_path Path to the AdFind executable Path PathToAtomicsFolder\T1087.002\src\AdFind.exe

Attack Commands: Run with command_prompt!

#{adfind_path} -sc exchaddresses

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}


Atomic Test #9 - Enumerate Default Domain Admin Details (Domain)

This test will enumerate the details of the built-in domain admin account

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net user administrator /domain


Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation

Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
domain Domain FQDN String contoso.com
uac_prop UAC Property to search String 524288

Attack Commands: Run with powershell!

Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}

Dependencies: Run with powershell!

Description: PowerShell ActiveDirectory Module must be installed
Check Prereq Commands:
Try {
    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
    exit 0
}
Catch {
    exit 1
}
Get Prereq Commands:
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
  Install-WindowsFeature RSAT-AD-PowerShell
}