Sykipot may use net group "domain admins" /domain to display accounts in the "domain admins" permissions group and net localgroup "administrators" to list local system administrator group membership. Stuxnet enumerates user accounts of the domain. SoreFang can enumerate domain accounts via net.exe user /domain.
SILENTTRINITY can use namespaces to retrieve domain user information. Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.
#Domain dossier series
POWRUNER may collect user account information by running net user /domain or a series of other commands on a victim. PoshC2 can enumerate local and domain user account information. Poseidon Group searches for administrator accounts on both the local victim machine and the network. OSInfo enumerates local and domain users ĭuring Operation Wocao, threat actors used the net command to retrieve information about domain accounts. ĭuring Operation CuckooBees, the threat actors used the dsquery and dsget commands to get domain environment information and to query users in administrative groups. OilRig has run net user, net user /domain, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to get account listings on a victim. Net commands used with the /domain flag can be used to gather information about and manipulate user accounts on the current domain. MuddyWater has used cmd.exe net user /domain to enumerate domain users. MenuPass has used the Microsoft administration tool csvde.exe to export Active Directory data. Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts. LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network. Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups. IcedID can query LDAP to identify additional users on the network to infect. The IceApple Active Directory Querier module can perform authenticated requests against an Active Directory server. įox Kitten has used the Softerra LDAP browser to browse documentation on service accounts. įIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database. Įmpire can acquire local and domain user account information. ĭsquery can be used to gather information on user accounts within a domain. ĭragonfly has used batch scripts to enumerate users on a victim domain controller. ĬrackMapExec can enumerate the domain user accounts on a targeted system. Ĭobalt Strike can determine if the user on an infected machine is in the admin or domain admin group. Ĭhimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts. īRONZE BUTLER has used net user /domain to identify account information. īoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users. īloodHound can collect information about domain users, including identification of domain admin accounts.
īazar has the ability to identify domain administrator accounts. īankshot gathers domain and account names/information through process monitoring. ĪPT29 has used PowerShell to discover domain accounts by executing Get-ADUser and Get-ADGroupMember.
0 kommentar(er)
