Domain Accounts

Information

• Name: Domain Accounts

• ID: T1078.002

• Tactics: TA0005, TA0003, TA0004, TA0001

• Technique: T1078

Introduction

Domain Accounts (T1078.002) is a sub-technique within the MITRE ATT&CK framework under the broader technique of Valid Accounts (T1078). This sub-technique specifically refers to adversaries leveraging valid domain-level accounts—such as Active Directory (AD) accounts—to gain unauthorized access, persist within the network, escalate privileges, and move laterally across enterprise environments. Domain accounts typically provide attackers with extensive access to organizational resources, enabling them to operate covertly and efficiently within the targeted infrastructure.

Deep Dive Into Technique

Attackers exploiting domain accounts typically leverage credentials obtained through various means, including credential dumping, phishing attacks, brute forcing, or purchasing leaked credentials on underground forums. Once domain-level credentials are acquired, adversaries can authenticate directly against domain controllers, file servers, workstations, or other domain-joined resources.

Technical execution methods and mechanisms include:

• Credential Theft and Reuse:

  • Using tools such as Mimikatz, CrackMapExec, or BloodHound to extract and analyze domain credentials.

  • Exploiting insecure credential storage or plaintext passwords found in scripts, files, or memory.

• Pass-the-Hash (PtH) and Pass-the-Ticket (PtT):

  • Utilizing hashes or Kerberos tickets to authenticate without knowing cleartext passwords.

  • Common tools used for PtH and PtT include Mimikatz, Impacket suite, and Rubeus.

• Kerberoasting and AS-REP Roasting:

  • Targeting service accounts within the domain to obtain Kerberos tickets that can be cracked offline.

  • Tools such as Rubeus, Impacket's GetUserSPNs.py, and Hashcat are often employed.

• Golden and Silver Ticket Attacks:

  • Forging Kerberos tickets granting persistent and stealthy access to domain resources.

  • Golden tickets leverage the domain's KRBTGT account, whereas silver tickets exploit service account credentials.

• Domain Enumeration and Reconnaissance:

  • Using tools like BloodHound, PowerView, and Active Directory reconnaissance scripts to map domain structure, identify privileged accounts, and plan lateral movement.

When this Technique is Usually Used

Domain Accounts (T1078.002) can appear across multiple stages of the cyber attack lifecycle, including:

• Initial Access and Persistence:

  • Valid domain credentials are used to gain initial footholds or maintain persistent access to the network without raising suspicion.

  • Attackers often target domain accounts early to establish deeper persistence and evade detection.

• Privilege Escalation and Credential Access:

  • Compromising domain administrator accounts or privileged service accounts to escalate privileges within the domain.

  • Domain account access facilitates further credential theft and privilege escalation via lateral movement and reconnaissance.

• Lateral Movement:

  • Leveraging valid domain credentials to move laterally across domain-joined systems and resources seamlessly.

  • Domain credentials enable attackers to authenticate legitimately, minimizing the chances of detection.

• Defense Evasion and Execution:

  • Using legitimate domain accounts to bypass security controls, evade detection mechanisms, and execute malicious payloads or commands without triggering alerts.

• Impact and Exfiltration:

  • Domain-level credentials provide attackers with extensive access to sensitive data and systems, enabling data theft, ransomware deployment, or sabotage.

How this Technique is Usually Detected

Detection of Domain Accounts (T1078.002) involves monitoring, analyzing, and correlating multiple event sources within the enterprise environment. Common detection methods and indicators of compromise (IoCs) include:

• Monitoring Authentication Logs:

  • Analyze Windows Security Event logs (Event IDs 4624, 4625, 4768, 4769, 4771) for irregular authentication patterns or failed login attempts.

  • Detect unusual login times, locations, or frequency of domain account usage.

• Kerberos Ticket Activity:

  • Monitor for unusual Kerberos ticket requests, particularly service ticket requests (TGS requests) indicative of Kerberoasting.

  • Detect anomalies in Kerberos ticket lifetimes or unusual ticket encryption types.

• Domain Controller Activity:

  • Monitor logs from domain controllers for suspicious activities, such as unusual LDAP queries, excessive enumeration, or unexpected account lockouts.

  • Analyze domain controller network traffic for abnormal connections or data transfers.

• Endpoint Detection and Response (EDR) Solutions:

  • Utilize EDR tools to detect credential dumping tools like Mimikatz, Rubeus, or Impacket.

  • Identify suspicious processes, memory injections, or PowerShell commands associated with credential theft.

• Behavioral Analytics and SIEM Correlation:

  • Implement security information and event management (SIEM) solutions with behavior-based rules to detect abnormal domain account usage patterns.

  • Correlate authentication events, privilege escalation attempts, and lateral movement activities to identify compromise.

• Specific Indicators of Compromise (IoCs):

  • Presence of credential theft tools (e.g., Mimikatz binaries, PowerShell scripts).

  • Unusual or unauthorized privileged account creation or modification within Active Directory.

  • Suspicious domain account login attempts from unfamiliar IP addresses or geographic locations.

Why it is Important to Detect This Technique

Early detection of Domain Accounts (T1078.002) exploitation is critical due to the severe potential impacts on organizational security posture and operational integrity. Importance of detection includes:

• Preventing Privilege Escalation and Lateral Movement:

  • Early detection limits attackers' ability to escalate privileges and propagate through the network, containing the compromise and reducing damage.

• Reducing Risk of Data Exfiltration and Breaches:

  • Domain accounts provide broad access to sensitive data and systems; detecting misuse can prevent significant data loss, intellectual property theft, or sensitive information leakage.

• Avoiding Operational Disruption and Financial Loss:

  • Unauthorized domain-level access can lead to ransomware deployment, sabotage, or disruption of critical business operations, resulting in severe financial and reputational damage.

• Maintaining Regulatory Compliance:

  • Early detection and response assist organizations in meeting regulatory requirements and avoiding penalties or legal consequences associated with breaches or data compromise.

• Improving Overall Security Posture:

  • Detecting and responding to domain account misuse strengthens the organization's security maturity, enabling proactive defense strategies and continuous improvement of security policies and controls.

Examples

Real-world examples illustrating Domain Accounts (T1078.002) exploitation include:

• NotPetya Attack (2017):

  • Attackers leveraged compromised domain-level credentials and tools such as Mimikatz to spread malware rapidly across enterprise networks.

  • Impact included massive operational disruption, financial losses, and widespread systems damage.

• APT29 (Cozy Bear) Campaigns:

  • Utilized stolen domain credentials and Kerberos ticket manipulation techniques (Pass-the-Ticket) for lateral movement and persistence within targeted networks.

  • Enabled espionage activities, data exfiltration, and long-term stealthy access.

• Ryuk Ransomware Attacks:

  • Attackers leveraged domain administrator credentials obtained via credential theft tools and phishing campaigns to propagate ransomware across enterprise environments.

  • Resulted in significant operational disruptions, financial losses, and reputational damage.

• FIN6 Financial Sector Attacks:

  • Used compromised domain accounts and credential theft techniques to access sensitive financial systems, exfiltrate credit card data, and conduct fraudulent transactions.

  • Caused substantial financial losses and regulatory impacts for affected organizations.

• SolarWinds Supply Chain Attack (2020):

  • Attackers compromised domain-level accounts within victim organizations to move laterally, conduct reconnaissance, and access sensitive data.

  • Resulted in extensive espionage activities, data breaches, and widespread organizational impact.

In these examples, attackers consistently leveraged domain accounts to achieve critical objectives, highlighting the importance of detecting, mitigating, and responding to this sub-technique promptly and effectively.