Detection Content to Address Attacker Techniques Covered in the “Domain of Thrones: Part I” Research

Offensive forces continuously look for new ways to gain access to the domain environment and sustain their presence by leveraging multiple attack vectors and experimenting with diverse adversary tools and techniques. For instance, they can take advantage of revealed security flaws as in the case of adversary attempts to exploit the vulnerability in Microsoft’s Windows AD in mid-spring 2023, leading to the potential privilege escalation attacks.

This article based on the research by Nico Shyne and Josh Prager gains insights into the attacker TTPs leveraged to gain and maintain access within a domain environment, such as credential theft on the domain controller, synchronizing Active Directory (AD) configurations, manipulating the Kerberos authentication protocol, and exploiting certificates. To help defenders thwart related attacks, we are sharing with industry peers a list of relevant detection content from SOC Prime Platform. 

Detecting Adversary TTPs Described in “Domain of Thrones: Part I” Series

Adversaries constantly seek new ways to covertly infiltrate and maintain persistence inside the organizational network. With domain persistence standing out as a juicy target, threat actors leverage multiple Kerebros abuse techniques to achieve malicious goals. Cyber defenders should keep a close eye on evolving attack methods to proactively identify and prevent intrusions at the earliest stages. 

To help security professionals stay on top of domain persistence attacks, SOC Prime Platform offers a dedicated set of detection rules specifically addressing main attack techniques, such as credential theft on domain controllers, Kerebros protocol manipulations, or Active Directory abuse. 

All detections are compatible with 28 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework to streamline threat investigation and shave off time on cross-platform query translation. Additionally, each detection item is accompanied by extensive metadata, including CTI links, ATT&CK references, audit configuration, false-positive context, and triage recommendations available through Uncoder AI.

Hit the Explore Detections button below and drill down to a set of curated Sigma rules to streamline your threat hunting operations. 

Explore Detections

“Domain of Thrones: Part I” Attacker Techniques Overview

With attackers continuously searching for ways to access and gain persistence in the targeted domain environment, defenders mainly focus on the means of the adversary initial access. However, they might overlook the post-breach domain state that needs prompt remediation measures. Due to an increasing number of offensive operations compromising domain environments, defenders are concerned about ways to regain control over the impacted domain, restore trust, and make sure the operational efficiency remains intact. 

Multiple nation-backed hacking collectives like FIN6, NICKEL, or Emissary Panda aka APT27 have set their eyes on critical Active Directory assets, like the NTDS.dit file, the KRBTGT service account, or AD certificates, gaining initial access through phishing or vulnerability exploitation. They normally apply both standard and custom tools to gain access to the domain leveraging elevated privileges. After confirming a breach, the defenders’ focus should be on blocking access and rotating domain secrets to prevent further compromise while detection engineers are expected to prioritize identifying signs of the domain persistence.

Adversaries are equipped with a wide range of domain persistence techniques to compromise the targeted environment. For instance, attackers with admin access levels can engage in credential theft by using applications to gain access to the LSASS.exe process. By leveraging these illicitly acquired credentials, threat actors can modify their execution context, allowing them to reach critical resources and carry out actions that may seriously affect an organization’s business continuity. For instance, they can apply native Windows LOLbins, such as Task Manager to  gain access to LSASS.exe with the required permissions and further read the virtual memory of this process. Hackers can also target the organizations’ NTDS.dit file aiming to obtain access to or duplicate the database file in an effort to collect required credentials.

Malicious actors can also leverage the golden ticket technique via Kerberos protocol manipulation to bypass detection and maintain persistence in the compromised domain environment. Kerberos authentication protocol relies on ticket requests and grants to verify users for remote resources. The KRBTGT service account’s password creates a cryptographic key, which is used by the KDC to sign and encrypt ticket-granting tickets (TGTs) presented to access remote resources. Attackers can then apply this fake TGT to authenticate. As an alternative, they can take advantage of the diamond ticket technique have the option to manipulate a legitimately issued TGT from the domain controller, rather than creating their own. As for certificate abuse techniques, hackers can obtain Certificate Authority (CA) private keys and produce fraudulent certificates signed using the stolen key. 

Domain persistence attacks and related adversary techniques are continuously evolving, encouraging defenders to keep a finger on the pulse of emerging offensive trends while keeping abreast of the tools and solutions that boost cyber defense capabilities within the domain. Make the most of SOC Prime’s Threat Detection Marketplace to always stay ahead of the curve and proactively defend your organization’s domain environment with the curated detection content enriched with actionable metadata and continuously updated.