T1069.002: Domain Groups
| View on MITRE ATT&CK | T1069.002 |
|---|---|
| Tactic(s) | Discovery |
Data from MITRE ATT&CK®:
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
This report by the DFIR Report outlines a Trigona Ransomware attack. It describes how the actors went from initial access (by exposed RDP) to data ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
How to detect this technique
MITRE ATT&CK Data Components
OS API Execution (Process)
Operating system function/method calls executed by a processCommand Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Group Enumeration (Group)
An extracted list of available groups and/or their associated settings (ex: AWS list-groups)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.