Additional Local or Domain Groups

Information

• Name: Additional Local or Domain Groups

• ID: T1098.007

• Tactics: TA0003, TA0004

• Technique: T1098

Introduction

The MITRE ATT&CK sub-technique "Additional Local or Domain Groups" (T1098.007) falls under the broader technique of Account Manipulation (T1098). It refers to adversaries creating or modifying local or domain groups within a compromised environment to maintain persistence, escalate privileges, or facilitate lateral movement. Attackers leverage these groups to blend in with normal administrative activities, making detection challenging. Understanding this sub-technique is essential for defenders to recognize unauthorized alterations to group accounts and mitigate potential threats.

Deep Dive Into Technique

Attackers performing this sub-technique typically follow these technical steps:

• Local Group Creation or Modification:

  • Attackers may create or modify local groups on compromised endpoints to establish persistence and maintain control.

  • Using built-in utilities such as net.exe, net localgroup, or PowerShell cmdlets (New-LocalGroup, Add-LocalGroupMember), attackers can silently establish new groups or add compromised accounts to existing groups.

• Domain Group Creation or Modification:

  • Attackers with domain admin privileges or sufficient permissions may create new domain groups or modify existing ones to facilitate lateral movement and privilege escalation across the domain.

  • Common tools and techniques include Active Directory Users and Computers (ADUC), PowerShell AD cmdlets (e.g., New-ADGroup, Add-ADGroupMember), or direct LDAP queries and modifications.

• Group Nesting and Privilege Escalation:

  • Adversaries may nest groups strategically to inherit permissions from higher-privileged groups, thus indirectly escalating privileges without attracting immediate attention.

  • Attackers could add their compromised accounts to existing privileged groups such as "Domain Admins," "Enterprise Admins," or custom administrative groups.

• Persistence and Stealth:

  • Creating additional groups allows attackers to maintain persistent access even if individual compromised accounts are discovered and disabled.

  • Attackers often use innocuous-sounding group names or mimic legitimate administrative groups to avoid suspicion.

When this Technique is Usually Used

Attackers employ "Additional Local or Domain Groups" in various stages and scenarios, including:

• Privilege Escalation:

  • Attackers add compromised accounts to privileged groups or create new groups with high-level privileges to escalate their access rights.

• Persistence:

  • Creating or modifying groups ensures persistent access, even if initial compromised accounts are disabled or passwords changed.

• Lateral Movement:

  • Domain groups provide attackers the means to move laterally across multiple systems within the domain, leveraging inherited permissions and trust relationships.

• Credential Access and Reconnaissance:

  • Attackers may use group memberships to enumerate additional targets, gather credentials, or identify sensitive assets within Active Directory environments.

• Defense Evasion:

  • Attackers create or modify groups with names similar to legitimate administrative groups to blend in and evade detection by security teams.

How this Technique is Usually Detected

Detection of "Additional Local or Domain Groups" typically involves monitoring, auditing, and analyzing group membership changes and creation events:

• Event Log Monitoring:

  • Windows Security Event Logs, especially Event IDs:

    • 4727: A security-enabled global group was created.

    • 4731: A security-enabled local group was created.

    • 4754: A security-enabled universal group was created.

    • 4728, 4732, 4756: Members were added to security-enabled groups.

  • Regular monitoring and alerting on these events can help identify suspicious group activity.

• Audit Policies and SIEM Solutions:

  • Implement advanced audit policies to log group creation and membership changes.

  • Centralize log aggregation and correlation using SIEM solutions (e.g., Splunk, ELK, QRadar) to detect unusual patterns or anomalies.

• Active Directory Monitoring Tools:

  • Utilize specialized Active Directory monitoring tools (e.g., Microsoft Defender for Identity, BloodHound, PingCastle) to detect unusual group nesting or privilege escalation paths.

• Endpoint Detection and Response (EDR):

  • EDR solutions can detect suspicious command-line activities (e.g., net localgroup, PowerShell cmdlets) indicative of unauthorized group manipulation.

• Indicators of Compromise (IoCs):

  • Unrecognized or newly created administrative groups.

  • Unexpected additions of standard user accounts into privileged groups.

  • Suspicious PowerShell scripts or command-line arguments related to group management.

Why it is Important to Detect This Technique

Early detection of "Additional Local or Domain Groups" is critical due to the following potential impacts:

• Privilege Escalation Risks:

  • Attackers who successfully manipulate groups can escalate privileges, gaining administrative or system-level access, and significantly increasing their potential damage and control.

• Persistence and Long-Term Compromise:

  • Attackers can maintain persistent access through group memberships, even after initial compromised accounts are remediated, resulting in prolonged threats within the environment.

• Lateral Movement and Wider Compromise:

  • Unauthorized domain group modifications enable attackers to move laterally across multiple systems, potentially compromising critical infrastructure, sensitive data, and intellectual property.

• Evasion of Detection and Defense Mechanisms:

  • Attackers who blend into legitimate administrative groups or mimic standard naming conventions may evade detection and continue malicious activities unnoticed.

• Compliance and Regulatory Risks:

  • Unauthorized group changes may lead to compliance violations, audit failures, and regulatory penalties.

Examples

Real-world examples demonstrating the use of "Additional Local or Domain Groups" include:

• APT29 (Cozy Bear):

  • During the SolarWinds supply chain compromise, APT29 leveraged domain administrative privileges to create new Active Directory groups and add compromised accounts, enabling lateral movement and persistence across victim networks.

• FIN6 Group:

  • FIN6 attackers have been observed creating new local administrative groups on compromised point-of-sale (POS) systems, allowing persistent access and facilitating further data exfiltration activities.

• Ryuk Ransomware Attacks:

  • Attackers deploying Ryuk ransomware frequently manipulate domain groups, adding compromised accounts into privileged groups to spread ransomware rapidly across victim organizations.

• PowerSploit Framework:

  • Attackers leveraging PowerSploit scripts often use PowerShell cmdlets (New-ADGroup, Add-ADGroupMember) to create and modify domain groups silently, establishing persistent and privileged access.

• TrickBot Malware:

  • TrickBot operators have been known to enumerate and modify local group memberships using built-in Windows utilities (net localgroup) to escalate privileges and maintain persistence on compromised endpoints.

These examples highlight the importance of monitoring and detecting unauthorized group creation or modifications to mitigate risks associated with this sub-technique.