Domain Account

Information

• Name: Domain Account

• ID: T1136.002

• Tactics: TA0003

• Technique: T1136

Introduction

Domain Account [T1136.002] is a sub-technique within the MITRE ATT&CK framework under the parent technique "Create Account" (T1136). This technique involves adversaries creating or manipulating domain-level user or service accounts within an Active Directory environment to maintain persistence, escalate privileges, or facilitate lateral movement. Domain accounts provide adversaries with legitimate access credentials, allowing them to blend in with normal network traffic and evade detection.

Deep Dive Into Technique

Adversaries employing Domain Account [T1136.002] typically leverage existing administrative privileges or exploit vulnerabilities to create new domain-level accounts or modify existing ones. These accounts can include standard user accounts, administrative accounts, or service accounts. Attackers may perform the following actions:

• Creation of new domain accounts:

  • Utilize Active Directory Users and Computers (ADUC), PowerShell cmdlets (New-ADUser, New-ADServiceAccount), or command-line utilities (net user /add) to generate new domain accounts.

  • Set passwords, configure permissions, and assign privileges appropriate for their objectives.

• Modification of existing domain accounts:

  • Alter permissions or group memberships of existing accounts to escalate privileges.

  • Reset passwords or disable security controls (e.g., password expiration policies).

• Establishing persistence and lateral movement:

  • Domain accounts allow attackers to maintain long-term access to network resources.

  • Attackers can use these accounts to authenticate across multiple systems, facilitating lateral movement.

Common execution methods and tools include:

• PowerShell scripts and cmdlets:

  • New-ADUser

  • Set-ADAccountPassword

  • Add-ADGroupMember

• Command-line utilities:

  • dsadd user

  • net user

  • dsmod user

• Third-party tools and frameworks:

  • Mimikatz (for credential dumping and account manipulation)

  • PowerSploit framework

  • BloodHound (for reconnaissance and privilege escalation)

When this Technique is Usually Used

Domain Account [T1136.002] typically appears in the following attack scenarios and stages:

• Persistence:

  • Attackers create domain accounts to ensure persistent and reliable access to compromised environments over extended periods.

  • Domain accounts are harder to detect due to their legitimate appearance and integration into standard workflows.

• Privilege Escalation:

  • Adversaries may modify existing domain accounts or create new ones with elevated privileges.

  • Attackers exploit misconfigurations or weak policies within Active Directory to escalate privileges.

• Lateral Movement:

  • Domain accounts enable attackers to authenticate across multiple domain-joined systems without raising suspicion.

  • Attackers leverage domain credentials to pivot between hosts, servers, and services within the victim's infrastructure.

• Credential Access:

  • Attackers leverage domain accounts to access sensitive information, extract credentials, and perform credential dumping.

How this Technique is Usually Detected

Detection of Domain Account [T1136.002] involves monitoring and analyzing several indicators and behaviors:

• Active Directory event logs:

  • Monitor Windows Security Event Logs for event IDs:

    • 4720 (user account created)

    • 4722 (user account enabled)

    • 4724 (password reset)

    • 4738 (user account changed)

  • Monitor for unusual account creation activities, especially during off-hours or from unusual sources.

• Account audits and anomaly detection:

  • Regularly audit newly created domain accounts for legitimacy.

  • Detect accounts with unusual naming conventions, descriptions, or attributes.

  • Monitor for sudden changes in account privileges or group memberships.

• SIEM (Security Information and Event Management) solutions:

  • Correlate account creation events with other suspicious activities, such as lateral movement or privilege escalation attempts.

  • Set alerts for account creations from uncommon IP addresses or systems.

• Endpoint Detection and Response (EDR) tools:

  • Identify suspicious scripts or command-line activities related to domain account creation or modification.

  • Detect usage of known malicious tools such as Mimikatz, PowerSploit, or BloodHound.

• Behavioral analytics and threat hunting:

  • Perform proactive threat hunting to identify anomalous account behaviors.

  • Look for accounts that deviate from standard organizational policies or baseline behaviors.

Specific Indicators of Compromise (IoCs) include:

• Unrecognized domain accounts with administrative privileges.

• Domain accounts created shortly after initial compromise.

• Accounts with passwords set to never expire or weak security settings.

• Suspicious account names mimicking legitimate accounts with slight variations.

Why it is Important to Detect This Technique

Early detection of Domain Account [T1136.002] is critical due to the significant security risks and potential damage it can cause:

• Persistence and long-term compromise:

  • Undetected domain accounts allow attackers to maintain persistent access, extending the duration and severity of compromise.

• Privilege escalation and data exfiltration:

  • Attackers leveraging domain accounts can escalate privileges, gain access to sensitive data, and exfiltrate critical information.

• Lateral movement and widespread compromise:

  • Domain accounts facilitate lateral movement across multiple systems, increasing the scope and complexity of the attack.

• Difficulty of remediation:

  • Once attackers establish domain-level accounts, remediation becomes challenging, requiring extensive investigation and response efforts.

  • Early detection minimizes remediation costs and reduces operational disruption.

• Compliance and regulatory implications:

  • Unauthorized domain account creation and manipulation may lead to violations of regulatory compliance requirements.

  • Early detection helps organizations maintain compliance and avoid potential legal consequences.

Examples

Real-world examples of Domain Account [T1136.002] usage include:

• APT29 (Cozy Bear) operations:

  • APT29 has been known to create new domain accounts and modify existing ones to maintain persistent access and facilitate lateral movement within victim networks.

  • Tools used include PowerShell scripts and custom backdoors to interact with Active Directory.

• FIN7 cybercrime group:

  • FIN7 utilized compromised domain accounts to move laterally within targeted retail and hospitality organizations, escalating privileges and extracting financial data.

  • Attackers leveraged PowerShell and custom scripts to create domain accounts and modify permissions.

• Ryuk ransomware attacks:

  • Ryuk operators have been observed creating new domain administrator accounts to facilitate lateral movement and deploy ransomware payloads across victim networks.

  • Attackers extensively used native Windows tools (net user) and PowerShell.

• Operation Cloud Hopper (APT10):

  • APT10 compromised managed service providers (MSPs), creating domain accounts within customer environments to maintain persistent access and exfiltrate sensitive data.

  • Attackers made use of legitimate administrative tools and PowerShell to manage domain accounts discreetly.

In these examples, attackers leveraged domain accounts to achieve persistent, stealthy access, escalate privileges, and execute their objectives, demonstrating the critical importance of monitoring and detecting this sub-technique.