Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An attacker with Domain Admin privileges and knowledge of Active Directory (AD) can leverage built-in Windows tools to modify the group membership of attacker-controlled accounts. This technique can help an attacker evade remediation attempts and maintain persistent, privileged access to AD systems.
Kill Chain
Risk Score
61
In Active Directory (AD), user and computer accounts are assigned to groups, such as Guest, Local Admin, or Domain Admin. Each group has an associated privilege level. When an account becomes a member of a group, the account inherits the privilege level of that group.
The Domain Admins group in AD grants powerful privileges to group members that allow the members to perform almost any action in AD and on domain-joined systems. After infiltrating the network, an attacker with elevated privileges can leverage built-in Windows tools, such as net.exe, to change group membership for an attacker-controlled account. For example, the tool sends a Microsoft remote procedure call (MS-RPC) protocol request with an interface and operation, such as samr:AddGroupMember, to add attacker-controlled accounts to the Domain Admin group membership. The attacker now has backup accounts that help them maintain privileged access to the environment in case other attacker-controlled accounts are blocked or removed by administrators.
