1. Home
  2. Techniques
  3. Enterprise
  4. 账号发现

账号发现

ID Name
T1087.001 合法API接口伪装查询
T1087.002 凭证模糊化异步遍历
T1087.003 元数据隐蔽提取技术

账号发现是攻击者通过枚举系统或环境中有效账户信息来支持后续攻击的关键侦察技术,涉及本地系统账户、域账户、云服务账户等多类目标的识别。传统检测手段通过监控账户管理命令(如net user)、异常API调用模式以及高频查询行为进行防御,重点关注进程创建日志、身份验证事件和目录服务操作等数据源。

为应对日益完善的安全监测体系,攻击者发展出新型隐蔽式账号发现技术,通过合法接口滥用、查询语义模糊化、攻击链跨域分解等手法,将账户枚举行为重构为具有业务合理性的低特征操作,实现侦察过程的全生命周期隐匿。

当前账号发现匿迹技术的核心演进路径体现在三个维度:首先是操作介质的合法化迁移,从直接调用系统命令转向利用标准化API接口和合规数据通道;其次是行为特征的背景融合,通过精确模拟正常业务交互模式(如云平台控制台操作、运维脚本执行)降低操作异常性;最后是攻击链的时空解耦,将集中式枚举任务拆解为跨平台、长周期的碎片化信息收集过程。具体而言,合法API伪装技术通过严格遵循协议规范实现"形式合规",凭证模糊化遍历利用系统容错机制达成"语义隐蔽",跨域关联分析则借助外部数据源构建"间接推导"路径,元数据提取技术通过滥用系统功能实现"权限规避"。这些技术的共性在于突破传统账户枚举的显性特征,将攻击行为深度嵌入目标环境的正常业务流中。

匿迹技术的发展导致传统基于单一系统日志分析或规则匹配的检测模型面临失效风险,防御方需构建跨域数据关联分析能力,实施API调用上下文行为建模,并强化对非结构化数据的敏感信息泄露监控,通过多维异常评分机制识别隐蔽的账户侦察行为。

ID: T1087
Sub-techniques:  T1087.001, T1087.002, T1087.003
Tactic: 环境测绘
Platforms: IaaS, Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Daniel Stepanic, Elastic; Microsoft Threat Intelligence Center (MSTIC); Travis Smith, Tripwire
Version: 2.5
Created: 31 May 2017
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模拟合法API调用模式、伪装成正常文件访问操作等方式,使账户枚举行为在协议层和业务逻辑层均呈现合规特征。例如将ListUsers API调用嵌入正常的运维工作流,或使元数据提取过程与后台索引服务行为完全一致,有效规避基于操作特征匹配的检测规则。

数据遮蔽

在跨域关联分析和API伪装查询中,攻击者使用TLS加密通道传输敏感查询请求和响应数据,使得网络层防御设备无法直接解析账户枚举行为。同时采用数据分片存储和混淆传输技术,将获取的账户信息隐藏于正常业务数据流中进行回传。

时空释痕

通过分布式任务调度和低频长周期操作策略,将账户枚举行为的时间特征稀释在正常业务操作的时间窗口中。例如将全球分布的代理节点与云函数结合,使单个节点的查询频率始终低于检测阈值,同时利用跨时区特性制造行为模式的天然离散性,破坏防御系统的时间序列分析。

Procedure Examples

ID Name Description
G0143 Aquatic Panda

Aquatic Panda used the last command in Linux environments to identify recently logged-in users on victim machines.[1]
G1016 FIN13

FIN13 has enumerated all users and their roles from a victim's main treasury system.[2]
S0445 ShimRatReporter

ShimRatReporter listed all non-privileged and privileged accounts available on the machine.[3]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 obtained a list of users and their roles from an Exchange server using Get-ManagementRoleAssignment.[4]
S1065 Woody RAT

Woody RAT can identify administrator accounts on an infected machine.[5]
S0658 XCSSET

XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.[6]

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. [7]
M1018 User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
DS0022 File File Access

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.
DS0009 Process Process Creation

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[8] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  2. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  3. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  4. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  1. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  2. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  3. UCF. (n.d.). The system must require username and password to elevate a running application.. Retrieved December 18, 2017.
  4. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.