ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1482

术语表: /attack/glossary

域信任披露

对手可能会尝试收集有关域信任关系的信息,这些信息可用于识别Windows多域/林环境中的横向移动(TA0008)机会。域信任为域提供了一种机制,该机制允许基于另一个域的身份验证过程访问资源。[1]域信任允许受信任域的用户访问信任域中的资源。发现的信息可以帮助对手进行SID历史记录注入(T1178),通过票证(T1097)和Kerberoasting(T1208)。可以使用DSEnumerateDomainTrusts()Win32 API调用,.NET方法和LDAP来枚举域信任。已知Windows实用工具Nltest(S0359)被对手用来枚举域信任。

Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify Lateral Movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.

标签

ID编号: T1482

策略: 发现

平台: Windows

所需权限: user

数据源: PowerShell日志,API监视,进程命令行参数,进程监视

程序示例

名称 描述
dsquery(S0105) dsquery(S0105) 可用于通过收集有关域信任的信息dsquery * -filter "(objectClass=trustedDomain)" -attr *
Empire(S0363) Empire(S0363) 拥有用于枚举域信任的模块。
Nltest (S0359) Nltest (S0359)可用于通过使用诸如的命令来枚举受信任的域nltest /domain_trusts
[PPoshC2(S0378) PoshC2(S0378) 具有用于枚举域信任的模块。
PowerSploit(S0194) PowerSploit(S0194)具有诸如Get-NetDomainTrustGet-NetForestTrust枚举域和林信任的模块。
TrickBot(S0266) TrickBot(S0266) 可以利用Nltest (S0359)收集有关域信任的信息。
Name Description
dsquery(S0105) dsquery(S0105) can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.
Empire(S0363) Empire(S0363) has modules for enumerating domain trusts.
Nltest (S0359) Nltest (S0359) may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.
PoshC2(S0378) PoshC2(S0378) has modules for enumerating domain trusts.
PowerSploit(S0194) PowerSploit(S0194) has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.
TrickBot(S0266) TrickBot(S0266) can gather information about domain trusts by utilizing Nltest (S0359)

缓解措施

缓解 描述
审计(M1047) 在现有域/林中映射信任关系,并将信任关系保持在最低限度。
网络细分(M1030) 对敏感域采用网络分段
Mitigation Description
Audit(M1047) Map the trusts within existing domains/forests and keep trust relationships to a minimum.
Network Segmentation(M1030) Employ network segmentation for sensitive domains.

检测

当对手了解环境时,系统和网络发现技术通常会在整个操作中出现。不应孤立地看待数据和事件,而应将其视为行为链的一部分,这些行为可能导致基于所获取信息的其他活动。

监视进程和命令行参数以了解可采取哪些措施来收集系统和网络信息,例如nltest /domain_trusts。具有内置功能的远程访问工具可以直接与Windows API交互以收集信息。查找DSEnumerateDomainTrusts()Win32 API调用以发现与域信任发现(T1482)关联的活动。也可以通过Windows系统管理工具(如PowerShell(T1086)获取信息。.NET方法GetAllTrustRelationships()可以指示域信任发现(T1482)。

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery(T1482).Information may also be acquired through Windows system management tools such as PowerShell(T1086). The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery(T1482)