This micro emulation plan targets compound behaviors associated with TA0007 Discovery using behaviors associated with abuse of Active Directory (AD). Adversaries use various means to gather internal knowledge about victim environments. Active directory, specifically Active Directory Domain Services (AD DS), is often targeted as rich and accessible source of information about various objects in a network.
Table Of Contents:
What are we doing? This module provides an easy-to-execute tool for generating queries to enumerate various types of information within an AD environment. Execution of this module aims to produce telemetry similar (but not identical) to the AD enumeration tools used in the wild.
The following ATT&CK v11 techniques are used in this emulation plan:
- T1087 Account Discovery
- T1135 Network Share Discovery
- T1069 Permission Groups Discovery
- T1018 Remote System Discovery
- T1049 System Network Connections Discovery
- T1033 System Owner/User Discovery
Why you should care? Threat actors and malware use TA Discovery to gather internal knowledge about a victim environment that can be used to plan/shape next steps (ex: TA0008 Lateral Movement and/or TA0004 Privilege Escalation) during an intrusion. There are various ways an adversary can collect different types of information, but Active Directory (AD) is commonly abused given its accessibility and wealth of data spanning accounts, hosts, services, etc. AD enumeration is very often observed as a precursor to the deployment of ransomware to most if not all domain-joined systems.
Various interfaces and APIs exists to query AD, but threat actors often opt to abuse available tools/utilities such as SharpHound/S0521 BloodHound, S0552 AdFind, S0105 dsquery, and [Nltest](S0539 https://attack.mitre.org/software/S0359/). These dual-use tools may make execution of these discovery behaviors easier for adversaries while also potentially blending in with legitimate administrator activity.
The ad_enum.exe
executable invokes a series of AD enumeration queries based on
provided arguments. The source code for this module is also
provided if you wish to further customize and rebuild.
The ad_enum.exe
executable invokes a series of AD enumeration queries:
- Query LDAP for all users, and output user information
- Query LDAP for all users, and output their name
- Query LDAP for all groups, and output their name, members, and memberOf attributes
- Query LDAP for all groups containing the word
"admin"
in their name, and output their name, members, and memberOf attributes - Query LDAP for all computers on the domain
- Query LDAP for all domain controllers on the domain
- List information about users currently logged on to this computer via
NetWkstaUserEnum()
- List the network shares on this computer via
NetShareEnum()
- List the current sessions on this computer via the
query session
command
Note: Queries 0-5 will only work correctly on a host that is joined to a Windows domain.
Queries can be selected by passing arguments to the executable via the -c
/
-command
flag (i.e. ad_enum.exe -c 0,4,8
). A help menu is available by
running the module with -h
or -help
. -m
/ -menu
will invoke an
interactive menu.
Output will be saved to a local file called ad_enum_log.txt
. By default (no
arguments provided), the module will execute queries for options {0, 3, 5, 7, 8}
while limiting (otherwise specified via -l
/ -limit
) displayed results
to 20 values.
AD queries may generate high-volume bursts of network connections, especially to domain controllers over ports associated with LDAP (ports 389 and 636) or RPC functions (ports 137 and 445) as well as the creation of detectable named pipes. If network packet capture or other comparable telemetry (including LDAP ETW) is available, LDAP search filters can be used to identify suspicious enumeration activity:
telemetry:
ldap_query:
- EDR (Microsoft-Windows-LDAP-Client ETW)
rules: >
- Channel:EDR AND EventType:LDAPQuery AND QueryDN:"CN\=*" AND QueryFilter.keyword:/member\=\*/
- Channel:EDR AND EventType:LDAPQuery AND QueryDN:"CN\=*" AND QueryFilter.keyword:/member\=\*/ AND QueryFilterAttributes.keyword:/member\;range\=0\-\*/
- Channel:EDR AND EventType:LDAPQuery AND QueryDN:"OU\=*" AND QueryFilter:"*\(samAccountType\=805306368\)\(samAccountType\=805306369\)*"
Code excerpted from github.com/vadim-hunter/Detection-Idea-Rules
Although not directly associated with the discovery behaviors, various AD enumeration tools commonly abused by adversaries may leave distinct artifacts (such as files) on hosts or execute with identifiable process/command/script arguments:.
Common BloodHound command-line options
This detection analytic identifies processes that contain common command lines consistent with the execution of BloodHound. While this is a simple analytic, we’ve found it to be effective in identifying BloodHound. It’s a good supplement to the port 445 analytic, which can require more tuning.
command_line_includes ('-collectionMethod' || 'invoke-bloodhound' || 'get-bloodHounddata')
Excerpted from Red Canary's BloodHound report.
Consider blocking or otherwise preventing the execution of AD enumeration tools/utilities that are not needed within an environment. Access to AD objects can also be managed through policy-based access control. The same dual-use tools abused by adversaries can be used to identify and remediate misconfigurations and/or available attack paths. Specifically, proactive measures can be taken to minimize the risks of data available via AD enumeration by auditing:
- Permissions against sensitive security principals (user/computer accounts and
groups) such as (Domain) Admins, partially addressed by queries
2
and3
- Privileged user activity (ex: caching sensitive credentials by logging onto
systems), partially addressed by queries
0
,6
, and8
- Permissions against sensitive systems (ex: local admins of a computer),
partially addressed by queries
2
through5
Adversary engagement activities, such as diversifying and/or manipulating information and properties of systems, may present denial and deception opportunities that can be used to manipulate and disrupt adversary enumeration activities.