Pre-Ransomware Active Directory Discovery Burst
Attackers perform a burst of Active Directory discovery commands on a Windows host to gather information prior to ransomware deployment.
This threat brief focuses on detecting a burst of Active Directory (AD) discovery commands executed on a Windows host, an indicator of pre-ransomware activity. Attackers often perform reconnaissance to map the AD environment, identify high-value targets, and discover privileged accounts before deploying ransomware. This activity typically occurs early in the attack chain. The commands observed include systeminfo, nltest, net.exe, and whoami. Detecting this pattern can provide early warning, allowing defenders to disrupt the attack before encryption occurs. The focus is on using process tree analysis and follow-on activity to differentiate between legitimate administrator behavior and malicious intent, escalating the severity of alerts when user or group changes are detected after the discovery phase.
Attack Chain
- The attacker gains initial access to a Windows host within the target network (initial access method not specified).
- The attacker executes
systeminfoto gather detailed information about the compromised host, including OS version, hardware configuration, and installed software. - The attacker executes
nltest /domain_truststo enumerate domain trusts and identify potential lateral movement paths. - The attacker uses
net.execommands (e.g.,net user /domain,net group /domain) to enumerate users, groups, and domain administrators. - The attacker executes
whoami /allto identify the current user's privileges and group memberships. - The attacker analyzes the gathered information to identify privileged accounts and potential targets for lateral movement.
- The attacker attempts to escalate privileges or move laterally to other systems within the network (technique unspecified).
- The attacker deploys ransomware to encrypt critical systems and demand a ransom payment.
Impact
A successful attack can lead to widespread encryption of systems, data loss, and significant business disruption. Organizations in various sectors are at risk. The financial impact can range from downtime and recovery costs to reputational damage and regulatory fines. Early detection of AD discovery activity can significantly reduce the impact of a ransomware attack by providing defenders with the opportunity to isolate affected systems and prevent further lateral movement. Without early detection, the attacker could successfully encrypt hundreds or even thousands of systems.
Detection coverage 3
Detect Multiple Discovery Commands in Short Timeframe
mediumDetects a burst of common discovery commands within a short timeframe, indicating potential reconnaissance activity.
Detect nltest Usage for Domain Trust Discovery
lowDetects the use of nltest.exe with the /domain_trusts flag to enumerate domain trusts.
Detect 'net' command execution for user enumeration
infoDetects execution of net.exe to enumerate domain users
Detection queries are available on the platform. Get full rules →