Domain Groups

Information

• Name: Domain Groups

• ID: T1069.002

• Tactics: TA0007

• Technique: T1069

Introduction

Domain Groups (T1069.002) is a sub-technique under the MITRE ATT&CK framework technique "Permission Groups Discovery" (T1069). Attackers leverage this sub-technique to enumerate domain-level groups and permissions, enabling them to gain deeper insight into the organization's Active Directory (AD) structure, security configurations, and privilege assignments. Understanding domain groups helps adversaries identify high-value targets, privileged accounts, and opportunities for lateral movement and privilege escalation within the targeted environment.

Deep Dive Into Technique

Attackers commonly execute this sub-technique by querying Active Directory or domain controllers to enumerate domain groups and their memberships. Technical mechanisms and procedures include:

• Using built-in Windows command-line utilities:

  • net group /domain: Lists all domain groups.

  • net group "Domain Admins" /domain: Displays members of the specified domain group (e.g., Domain Admins).

  • dsquery group: Queries Active Directory groups and returns their distinguished names.

  • dsget group: Retrieves detailed information about AD groups and their members.

• Leveraging PowerShell scripts and cmdlets:

  • Get-ADGroup and Get-ADGroupMember: Enumerate AD groups and their members.

  • Custom scripts that automate enumeration and parsing of AD group information.

• Utilizing third-party tools and frameworks:

  • BloodHound: Graphically maps AD groups, users, and relationships to identify privilege escalation paths.

  • PowerView (part of PowerSploit): PowerShell-based enumeration tool used to identify domain groups, members, and permissions.

  • ADRecon: Automated enumeration tool providing detailed reports on AD groups and their permissions.

Real-world execution typically involves initial compromise of a domain-joined system, followed by enumeration commands executed via compromised user accounts or scripts deployed through command-and-control (C2) channels.

When this Technique is Usually Used

Attackers commonly employ domain group enumeration at various stages of an attack lifecycle, particularly during reconnaissance and lateral movement phases. Typical scenarios include:

• Initial Reconnaissance:

  • After initial access, adversaries enumerate domain groups to identify critical accounts and privileged groups (e.g., Domain Admins, Enterprise Admins).

  • Attackers map out organizational hierarchy and security posture to plan further attack steps.

• Privilege Escalation:

  • Attackers analyze domain groups to identify accounts with elevated privileges or administrative rights that can be targeted for credential harvesting or privilege escalation.

• Lateral Movement:

  • Enumeration of groups helps attackers identify additional hosts, users, or resources accessible through compromised accounts or group memberships.

  • Attackers leverage enumerated group information to move laterally within the network, pivoting to systems accessible via group permissions.

• Persistence and Defense Evasion:

  • Attackers identify domain groups with permissions to modify security settings, create accounts, or alter critical infrastructure to maintain persistence and evade detection.

How this Technique is Usually Detected

Organizations can detect domain group enumeration through various security monitoring and detection methods, including:

• Endpoint Detection and Response (EDR) Tools:

  • Monitor execution of suspicious processes or commands such as net group, dsquery, dsget on endpoints.

  • Detect abnormal execution of PowerShell scripts or cmdlets related to AD enumeration.

• Centralized Logging and SIEM Solutions:

  • Monitor Windows Security event logs (Event ID 4661, 4662, 4798, 4799, 4768, 4769) for unusual enumeration of AD groups or permissions.

  • Correlate logs from multiple sources to detect patterns indicative of enumeration activities.

• Network Monitoring and Intrusion Detection Systems (IDS):

  • Detect and alert on unusual LDAP queries or SMB traffic targeting domain controllers or Active Directory servers.

  • Identify anomalous network behavior patterns, including increased enumeration activity from specific hosts or accounts.

• Honeytokens and Deception Techniques:

  • Deploy fake domain groups or accounts to trigger alerts when enumerated by attackers.

  • Utilize deception technologies to detect enumeration attempts early in the attack lifecycle.

Indicators of Compromise (IoCs) associated with Domain Groups enumeration include:

• Unusual command-line execution patterns involving domain enumeration utilities.

• Sudden spikes in LDAP queries originating from compromised hosts.

• Unauthorized access attempts or queries targeting sensitive domain groups (e.g., Domain Admins, Enterprise Admins).

Why it is Important to Detect This Technique

Early detection of domain group enumeration is critical due to the significant potential impact on organizational security posture. Possible impacts include:

• Privilege Escalation:

  • Attackers identify privileged groups and accounts, enabling privilege escalation and gaining administrative control over critical resources.

• Lateral Movement Facilitation:

  • Enumeration of domain groups helps attackers identify additional network resources and user accounts, facilitating lateral movement and broader network compromise.

• Credential Theft and Account Compromise:

  • Attackers target enumerated domain groups and their members, increasing the risk of credential theft, account compromise, and unauthorized access.

• Persistence and Defense Evasion:

  • Attackers leverage enumerated group information to establish persistence, modify security policies, or evade detection by blending in with legitimate administrative activities.

Early detection allows security teams to:

• Quickly identify and respond to reconnaissance activities, limiting attacker visibility and reducing attack surface.

• Prevent lateral movement and privilege escalation by proactively mitigating identified security gaps.

• Minimize potential damage and reduce risk exposure by promptly containing and remediating compromised accounts and systems.

Examples

Real-world examples demonstrating Domain Groups (T1069.002) enumeration include:

• APT29 (Cozy Bear):

  • Employed PowerShell-based enumeration scripts (PowerView) to identify domain groups and privileged accounts within compromised networks.

  • Leveraged enumerated group information to escalate privileges and move laterally towards high-value targets.

• FIN6:

  • Conducted domain enumeration using built-in utilities (net group /domain) and custom PowerShell scripts to identify critical domain groups and privileged accounts.

  • Used enumerated information to compromise administrative accounts, deploy malware, and exfiltrate sensitive financial data.

• Ryuk Ransomware Attacks:

  • Attackers executed extensive domain enumeration commands (net group, dsquery) to identify privileged groups, administrative accounts, and backup operators.

  • Leveraged enumerated domain group information to disable backups, escalate privileges, and deploy ransomware payloads across organizational networks.

• BloodHound Usage:

  • Attackers frequently use BloodHound to visually map domain groups, memberships, and privilege escalation paths within Active Directory environments.

  • Enables rapid identification of vulnerable paths for escalation and lateral movement, significantly accelerating adversary operations.

These examples illustrate how attackers leverage domain group enumeration to facilitate various stages of cyberattacks, underscoring the importance of proactive detection, monitoring, and defense strategies.