Detecting Pre-Ransomware Active Directory Reconnaissance
Adversaries perform Active Directory reconnaissance using built-in tools like nltest, whoami, and net.exe to map the environment before deploying ransomware.
This threat brief focuses on detecting pre-ransomware reconnaissance activity targeting Active Directory. Attackers often use readily available tools to gather information about the domain, user accounts, and group memberships before deploying ransomware. This activity is often performed in short bursts to minimize detection. The techniques involve common commands like nltest, whoami /groups, and net.exe group executed from compromised endpoints. Identifying these reconnaissance attempts early can provide defenders with a crucial opportunity to disrupt the attack before ransomware is deployed and significant damage is inflicted. Monitoring for these specific command sequences, especially when followed by suspicious user creation or privileged group modifications, is critical for early threat detection and mitigation.
Attack Chain
- An attacker compromises a user account or endpoint within the target network through unknown means (e.g., phishing, exploit).
- The attacker executes
nltest /domain_truststo enumerate domain trusts and map the Active Directory environment. - The attacker executes
whoami /groupsto identify the groups the compromised user belongs to. - The attacker uses
net group /domainto enumerate domain groups. - The attacker uses
net group "Domain Admins" /domainto identify members of the Domain Admins group. - Based on gathered information, the attacker attempts to escalate privileges, potentially creating new user accounts with elevated permissions.
- The attacker adds the newly created or compromised accounts to privileged groups like "Domain Admins".
- The attacker leverages the gained privileges to deploy ransomware across the network.
Impact
Successful Active Directory reconnaissance allows attackers to map the network environment, identify critical assets, and escalate privileges. This leads to widespread ransomware deployment, data encryption, and significant business disruption. Organizations can experience financial losses due to downtime, data recovery costs, and potential ransom payments. The impact can range from temporary service outages to permanent data loss and reputational damage, affecting potentially thousands of users and systems across the organization.
Detection coverage 3
Detect Active Directory Enumeration via Nltest
mediumDetects the use of nltest.exe to enumerate domain trusts, a common reconnaissance technique.
Detect Group Enumeration via Whoami
mediumDetects the use of whoami.exe to enumerate group memberships.
Detect Group Enumeration via Net.exe
mediumDetects the use of net.exe to enumerate domain groups.
Detection queries are available on the platform. Get full rules →