# T1078.002 Domain Accounts

-----------------------------------------------------------------------

## Technique Description

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.

## Technique Detection

Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

On Linux, check logs and other artifacts created by use of domain authentication services, such as the System Security Services Daemon (sssd).(Citation: Ubuntu SSSD Docs) 

Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Persistence

  * Privilege-Escalation

  * Initial-Access

### Platforms:

  * Linux

  * macOS

  * Windows

### Adversary Required Permissions:

  * User

  * Administrator

### Data Sources:

  * **Logon Session:** Logon Session Creation

  * **User Account:** User Account Authentication

  * **Logon Session:** Logon Session Metadata

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has collected credentials from infected systems, including domain accounts.(Citation: Crowdstrike Indrik November 2018)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used domain credentials, including domain admin, for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used administrative accounts, including Domain Admin, to move laterally within a victim network.(Citation: FireEye KEGTAP SINGLEMALT October 2020)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used stolen domain admin accounts to compromise additional hosts.(Citation: IBM TA505 April 2020)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)| 
| Threat Group-1314 | [Threat Group-1314](https://attack.mitre.org/groups/G0028) actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.(Citation: Dell TG-1314)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) leverages valid accounts after gaining credentials for use within the victim domain.(Citation: Symantec Buckeye)| 
| Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used administrator credentials for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: CrowdStrike StellarParticle January 2022)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1078/002)

  * [Technet Credential Theft](https://technet.microsoft.com/en-us/library/dn535501.aspx), Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.

  * [Technet Audit Policy](https://technet.microsoft.com/en-us/library/dn487457.aspx), Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.

  * [Microsoft Ad Accounts](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts), Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.

  * [Ubuntu Sssd Docs](https://ubuntu.com/server/docs/service-sssd), Ubuntu. (n.d.). SSSD. Retrieved September 23, 2021.

  * [Capec](https://capec.mitre.org/data/definitions/560.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------
### This technique is a duplicate.  Follow the link below to the "Primary Version".
<a href="../Initial Access/T1078.002 Domain Accounts.ipynb" target="_blank">Primary Version</a>