# T1069.002 Domain Groups

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,  <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Process:** Process Creation

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Inception | [Inception](https://attack.mitre.org/groups/G0100) has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framework March 2018)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>net group /domain</code>, <code>net group “domain admins” /domain</code>, and <code>net group “Exchange Trusted Subsystem” /domain</code> to find domain group permission settings.(Citation: Palo Alto OilRig May 2016)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used [AdFind](https://attack.mitre.org/software/S0552) to enumerate domain groups.(Citation: CrowdStrike StellarParticle January 2022)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net group "Domain Admins" /domain</code> to identify domain administrators.(Citation: ESET ComRAT May 2020)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs discovery of permission groups <code>net group /domain</code>.(Citation: Mandiant Operation Ke3chang November 2014)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1069/002)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use net group "Domain Admins" /domain to identify domain administrators.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [ESET Turla ComRAT 2020 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:1 AND command_line:"net group*"```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

#### Analytic 1

  * **Information:** Remote access tools with built-in features may interact directly with the Windows API to gather information.

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Search for commands related to enumerating domain groups

  * **Query:** ```protocols == dcerpc```