1. Home
  2. Techniques
  3. Enterprise
  4. 权限组发现

权限组发现

ID Name
T1069.001 合法管理工具伪装查询
T1069.002 内存驻留型权限枚举
T1069.003 时间离散化凭证缓存提取
T1069.004 API钩取式权限信息隐蔽采集

权限组发现是攻击者用于识别目标系统用户、组及其权限关系的关键侦察技术,通常通过执行系统命令、查询API接口或解析配置文件等方式实现。传统检测方法主要监控敏感命令(如net group/group)执行、异常进程创建事件,以及PowerShell等管理工具的非常规使用模式。防御措施包括启用详细命令行审计日志、限制普通用户执行权限管理命令、实施严格的API调用监控等。

为规避传统检测机制,攻击者发展出多种隐蔽式权限发现技术,通过工具伪装、内存驻留、时序解耦及系统钩取等手法,将权限枚举操作融入正常系统活动,在降低行为显著性的同时维持信息收集效能,形成"低特征、高融合"的新型侦察范式。

当前权限组发现匿迹技术的核心机理体现为系统信任机制的深度滥用与操作痕迹的多维消除:合法管理工具伪装查询通过精确复现管理员操作模式,将恶意行为隐藏在白名单进程的正常活动中;内存驻留技术利用进程注入与API钩取实现"无文件、无进程"的透明化数据采集;时间离散化提取则通过分解攻击链与利用系统缓存机制,将权限发现转化为长期低强度操作;API钩取技术更进一步将数据收集嵌入系统内核工作流,实现权限信息获取与业务功能的深度耦合。这些技术的共性在于突破传统攻击面边界,通过系统内部机制的武器化利用,使得权限发现行为在进程行为、日志记录、网络流量等多个维度均呈现出合法特征。

匿迹技术的发展导致传统基于命令监控、进程检测的防御体系面临失效风险,防御方需加强内存行为分析、API调用链追踪等深度检测能力,实施严格的权限最小化原则,并构建用户-组-权限关系的动态基线模型,通过异常关联分析识别隐蔽侦察行为。

ID: T1069
Sub-techniques:  T1069.001, T1069.002, T1069.003, T1069.004
Tactic: 环境测绘
Platforms: Containers, IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Daniel Prizmant, Palo Alto Networks; Microsoft Threat Intelligence Center (MSTIC); Yuval Avrahami, Palo Alto Networks
Version: 2.6
Created: 31 May 2017
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过完全复现合法管理工具的操作特征实现深度伪装。例如使用系统自带PowerShell执行组策略查询时,动态生成符合管理员习惯的命令参数,并保持正常的执行上下文环境。这使得权限发现行为在进程树、命令行日志等维度与日常运维活动无法区分,实现恶意指令的"特征隐身"。

行为透明

内存驻留与API钩取技术使权限发现操作脱离传统监控视野。通过将恶意代码注入可信进程内存空间,并劫持系统底层API调用链,攻击者无需创建异常进程或触发敏感操作告警即可完成数据采集,形成完全透明的权限枚举过程。

数据遮蔽

在数据回传阶段采用进程间通信加密与合法协议隧道技术。例如将提取的组策略数据封装在HTTPS业务流量中,或通过DNS隧道分段传输,利用加密通道和协议混淆遮蔽敏感信息,使得网络层检测无法识别数据泄露实质。

时空释痕

时间离散化技术将集中式权限查询分解为长周期、低频率的缓存提取操作。攻击者通过数周时间逐步收集分散的凭证碎片,再利用离线关联分析还原完整权限拓扑,使得单次操作特征强度低于检测阈值,整体攻击链被稀释在正常业务时间维度中。

Procedure Examples

ID Name Description
G0022 APT3

APT3 has a tool that can enumerate the permissions associated with Windows groups.[1]
G0096 APT41

APT41 used net group commands to enumerate various Windows user groups and permissions.[2]
S0335 Carbon

Carbon uses the net group command.[3]
G1016 FIN13

FIN13 has enumerated all users and roles from a victim's main treasury system.[4]
S0483 IcedID

IcedID has the ability to identify Workgroup membership.[5]
S0233 MURKYTOP

MURKYTOP has the capability to retrieve information about groups.[6]
S0445 ShimRatReporter

ShimRatReporter gathered the local privileges for the infected host.[7]
S0623 Siloscape

Siloscape checks for Kubernetes node permissions.[8]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used the Get-ManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.[9]
G0092 TA505

TA505 has used TinyMet to enumerate members of privileged groups.[10] TA505 has also run net group /domain.[11]
S0266 TrickBot

TrickBot can identify the groups the user on a compromised host belongs to.[12]
G1017 Volt Typhoon

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for group and user discovery.[13]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for logging, messaging, and other artifacts provided by cloud services.
DS0017 Command Command Execution

Monitor executed commands and arguments acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
DS0036 Group Group Enumeration

Monitor for an extracted list of ACLs of available groups and/or their associated settings.
Group Metadata

Monitor for contextual data about a group which describes group and activity around it.
DS0009 Process Process Creation

Monitor for newly constructed processes and/or command-lines for actions that could be taken to gather system and network information. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

References

  1. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  2. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  3. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.
  4. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  5. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  6. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  7. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  1. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  2. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  3. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  4. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  5. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  6. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.