SECURITY

Active Directory Discovery Detection: Threat Research Release, September 2021

The Splunk threat research team recently developed a new analytic story to help security operations center (SOC) analysts detect adversaries executing discovery and reconnaissance tasks within Active Directory environments. In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.

Watch the video below to see a demo on how we can simulate and detect Active Directory discovery techniques in a lab environment built with the Splunk Attack Range.

 


When adversaries obtain an initial foothold in an Active Directory network via a phishing email or a server-side exploit, they find themselves controlling an endpoint in a network they know nothing about. Thus, the next required step is to engage the environment by executing reconnaissance activities before deciding how to act next. The MITRE ATT&CK Discovery (TA0007) tactic consists of the techniques an adversary leverages to gain knowledge and gain situational awareness on a target network.

Active Directory contains a wealth of information invaluable for an adversary surveying a network. A commonly unknown fact is that most of this information can be queried and read without any special privileges in a Windows domain. A standard, unprivileged, compromised domain user (including a Computer account!) can engage Active Directory and obtain information like privileged and regular users, computers, groups and memberships, database instances, domain trusts, network shares, etc.

Open source threat intelligence reports, such as the DFIR Report, provide defenders with great insight on how threat actors execute these discovery techniques in Active Directory environments while leveraging Windows native command-line tools. In addition, the recently leaked Conti Ransomware gang playbook, essentially a hacking guide the Conti gang shared with its affiliates, also highlights the focus and effort put in by human-operated ransomware gangs into Active Directory discovery activities. 

There are multiple approaches that rely on different data sources to detect this behavior. For this release, we wanted to provide coverage to identify discovery activities when adversaries leverage living off the land binaries and the PowerShell scripting language. Thus, we focused on the following data sources:

Specifically, the new Analytic Story introduces 74 new detection analytics across 9 ATT&CK MITRE discovery techniques. We took each technique and tried to identify different ways a threat actor may execute it. Our goal with developing several detections for each technique is to maximize detection coverage and obtain resilience against these variations. As an example, an adversary may be able to leverage the following variations to enumerate groups in a Windows domain (T1069.002) (all detected in this release):

net group /domain
net group ‘domain admins’ /domain
dsquery group
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
Get-AdGroup -Filter *
Get-Wmiobject -class ds_group -namespace root\directory\ldap
([adsisearcher]"(&(objectcategory=group))").findAll()
Get-DomainGroup
Get-DomainGroupMember -Name "Domain Admins"

Cyber defenders can implement the released analytics for real-time security monitoring and hypothesis-driven threat hunting exercises. We are also releasing the datasets generated by executing these techniques as part of the Attack Data repository. The ATT&CK techniques in scope include:

T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1482 - Domain Trust Discovery
T1018 - Remote System Discovery
T1201 - Password Policy Discovery
T1069.001 - Permission Groups Discovery: Local Groups
T1069.002 Permission Groups Discovery: Domain Groups
T1049 - System Network Connections Discovery
T1033 - System Owner/User Discovery


Detection analytics that leverage the Process & Command line and PowerShell Script Block data sources provide coverage against the recent human-operated ransomware discovery techniques. However, threat actors who care about operational security may interact with Active Directory from a compromised endpoint without starting a new process nor using powershell. Additionally, detecting the abuse of native libraries and the LDAP protocol will require monitoring additional data sources like network or application telemetry, which we intend to cover in future releases.

Why Should You Care About Active Directory Discovery?

After adversaries obtain an initial foothold in Active Directory networks, their next step in most scenarios will be to engage in discovery & reconnaissance techniques. Defenders must have appropriate detections in place to prevent adversaries in achieving their goal. Monitoring and responding to Discovery techniques enables security operation teams to identify the early stages of an attack and prevent adversaries from achieving their objectives.

Detections

The “Active Directory Discovery” analytic story includes the following detection analytics. You may use these detection analytics to hunt for potential active directory discovery behavior. Some of them can be used in real-time monitoring while others are better suited for threat hunting exercises. 

Name

Technique ID

Tactic

Description

Local Account Discovery With Net

T1087.001

Discovery

This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users.

Local Account Discovery With Wmic

T1087.001

Discovery

This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users.

GetLocalUser with PowerShell Script Block

T1087.001

Discovery

The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users.

GetLocalUser with PowerShell

T1087.001

Discovery

This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users.

GetWmiObject User Account with PowerShell Script Block

T1087.001

Discovery

The following analytic utilize PowerShell Script Block Logging (EventCode=4104)

  to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users/

GetWmiObject User Account with PowerShell

T1087.001

Discovery

This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users.

Domain Account Discovery with Net

T1087.002

Discovery

This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users.

Domain Account Discovery with Dsquery

T1087.002

Discovery

This analytic looks for the execution of `dsquery.exe` with command-line

  arguments utilized to discover domain users.

Domain Account Discovery with Wmic

T1087.002

Discovery

This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users.

AdsiSearcher Account Discovery 

T1087.002

Discovery

The following analytic utilize PowerShell Script Block Logging (EventCode=4104)   to identify the `[Adsisearcher]` type  accelerator being used to query Active Directory for domain groups.

GetWmiObject DS_User with PowerShell Script Block

T1087.002

Discovery

The following analytic utilize PowerShell Script Block Logging (EventCode=4104)   to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users.

GetWmiObject DS_User with PowerShell

T1087.002

Discovery

This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain.

Get-ADUser with PowerShell Script Block

T1087.002

Discovery

The following analytic utilize PowerShell Script Block Logging (EventCode=4104)   to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users.

Get-ADUser with PowerShell

T1087.002

Discovery

This analytic looks for the execution of `powershell.exe` with command-line   arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users.

Get-DomainUser with PowerShell Script Block

T1087.002

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)

  to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser`  is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.

Get-DomainUser with PowerShell

T1087.002

Discovery

This analytic looks for the execution of `powershell.exe` with command-line   arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView,  a PowerShell tool used to perform enumeration on Windows domains.

NLTest Domain Trust Discovery

T1482

Discovery

This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains.

DSQuery Domain Discovery

T1482

Discovery

The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary performing domain trust discovery.

Get-DomainTrust with PowerShell Script Block

T1482

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information.

Get-DomainTrust with PowerShell

T1482

Discovery

This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. 

Get-ForestTrust with PowerShell Script Block

T1482

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain  trust information.

Get-ForestTrust with PowerShell

T1482

Discovery

This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information.

Remote System Discovery with Net

T1018

Discovery

This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain` computers /domain` returns a list of all domain computers.

Domain Controller Discovery with Nltest

T1018

Discovery

This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers.

Remote System Discovery with Dsquery

T1018

Discovery

This analytic looks for the execution of `dsquery.exe` with command-line   arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain.

Domain Controller Discovery with Wmic

T1018

Discovery

This analytic looks for the execution of `wmic.exe` with command-line   arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain.

Remote System Discovery with Wmic

T1018

Discovery

This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain.

GetAdComputer with PowerShell Script Block

T1018

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)   to identify the execution of the  Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers.

GetAdComputer with PowerShell

T1018

Discovery

This analytic looks for the execution of `powershell.exe` with command-line  arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers.

GetWmiObject Ds Computer with PowerShell Script Block

T1018

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)   to identify the execution of the  Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers.

GetWmiObject Ds Computer with PowerShell

T1018

Discovery

This analytic looks for the execution of `powershell.exe` with command-line   arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers.

Remote System Discovery with Adsisearcher

T1018

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)   to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers.

GetDomainComputer with PowerShell Script Block

T1018

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)  to identify the execution of the  Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.

GetDomainComputer with PowerShell

T1018

Discovery

This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.

GetDomainController with PowerShell Script Block

T1018

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)   to identify the execution of the  Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.

GetDomainController with PowerShell

T1018

Discovery

This analytic looks for the execution of `powershell.exe` with command-line  arguments utilized to discover remote systems. `Get-DomainController` is part of  PowerView, a PowerShell tool used to  perform enumeration on Windows domains.

Password Policy Discovery with Net

T1201

Discovery

This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy.

Get ADDefaultDomainPasswordPolicy with Powershell Script Block

T1201

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)

  to identify the execution of the `ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain.

Get ADDefaultDomainPasswordPolicy with Powershell

T1201

Discovery

This analytic looks for the execution of `powershell.exe` executing the 

  Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain.

Get ADUserResultantPasswordPolicy with Powershell Script Block

T1201

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain.

Get ADUserResultantPasswordPolicy with Powershell 

T1201

Discovery

This analytic looks for the execution of `powershell.exe` executing the 

  `Get ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain.

Get DomainPolicy with Powershell Script Block

T1201

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain.

Get DomainPolicy with Powershell

T1201

Discovery

This analytic looks for the execution of `powershell.exe` executing the   `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain.

Net Localgroup Discovery

T1069.001

Discovery

The following hunting analytic will identify the use of localgroup discovery  using `net localgroup`. During triage, review parallel processes and identify any  further suspicious behavior.

Wmic Group Discovery

T1069.001

Discovery

The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of  day, endpoint and username.

Powershell Get LocalGroup Discovery with Script Block Logging

T1069.001

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies PowerShell cmdlet - `get-localgroup` being run. Typically,  by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.

PowerShell Get LocalGroup Discovery

T1069.001

Discovery

The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior.

Get WMIObject Group Discovery with Script Block Logging

T1069.001

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies the usage of  Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint.

Get WMIObject Group Discovery

T1069.001

Discovery

The following hunting analytic identifies the use of `Get-WMIObject Win32_Group`   being used with PowerShell to identify local groups on the endpoint. \ Typically,  by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.

Domain Group Discovery With Net

T1069.002

Discovery

This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups.

Elevated Group Discovery With Net

T1069.002

Discovery

This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups.

Domain Group Discovery With Wmic

T1069.002

Discovery

This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups.

Domain Group Discovery With Dsquery

T1069.002

Discovery

This analytic looks for the execution of `dsquery.exe` with command-line  arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups.

Elevated Group Discovery With Wmic

T1069.002

Discovery

This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups.

Get-AdGroup with PowerShell Script Block

T1069.002

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups.

Get-AdGroup with PowerShell

T1069.002

Discovery

This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlet is  used to return a list of all groups available in a Windows Domain.

GetWmiObject Ds Group with PowerShell Script Block

T1069.002

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `DS_Group` parameter leverages WMI to query for all domain groups.

GetWmiObject Ds Group with PowerShell

T1069.002

Discovery

This analytic looks for the execution of `powershell.exe` with command-line

arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined   with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain.

Domain Group Discovery with Adsisearcher

T1069.002

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups.

GetDomainGroup with PowerShell Script Block

T1069.002

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.

GetDomainGroup with PowerShell

T1069.002

Discovery

This analytic looks for the execution of `powershell.exe` with command-line

  arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.

Elevated Group Discovery with PowerView

T1069.002

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)   to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.

Network Connection Discovery With Net

T1049

Discovery

This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system.

Network Connection Discovery With Arp

T1049

Discovery

This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system.

Network Connection Discovery With Netstat

T1049

Discovery

This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system.

GetNetTcpconnection with PowerShell Script Block

T1049

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system.

GetNetTcpconnection with PowerShell 

T1049

Discovery

This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The  `Get-NetTcpConnection` commandlet lists the current TCP connections.

System User Discovery With Whoami

T1033

Discovery

This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user.

System User Discovery With Query

T1033

Discovery

This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user.

User Discovery With Env Vars PowerShell Script Block

T1033

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user.

User Discovery With Env Vars PowerShell

T1033

Discovery

This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user.

GetCurrent User with PowerShell Script Block

T1033

Discovery

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user.

GetCurrent User with PowerShell

T1033

Discovery

This analytic looks for the execution of `powershell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Mauricio Velazco, Michael Haag, and Teoderick Contreras for their contributions to this post and the “Active Directory Discovery” analytic story.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS
Show All Tags
Show Less Tags