###### www.kisa.or.kr 「Tactics, Techniques, Procedures」 ### TTPs#5 : ## attack patterns in AD environment ----- ###### Contents 「Tactics, Techniques, Procedures」 ##### TTPs#5 : attack patterns in AD environment ###### 1. Introduction 03 2. Overview 04 3. ATT&CK Matrix 08 4. Conclusion 51 Reproduction or copying of the contents of this report without permission from the Korea Internet & Security Agency is prohibited and may violate copyright laws. Written by: Profound Analysis Team, Internet Incident Analysis Group Kayoung Kim, Researcher Dongwook Kim, Deputy General Researcher Taewoo Lee, Deputy General Researcher Seulgi Lee, Deputy General Researcher JaeKwang Lee, Manager Edited by: Dae-Kyu Shin, Vice President Jinsoo Lim, Director ----- 1. Introduction #### 1. Introduction The rise in hacking incidents have led to ever-more stringent security requirements and the continuous evolvement of security systems to the next level. Yet, cyber incidents that were reported in the past are still being repeated today, and organizations with some of the most sophisticated cyber-defense systems are still falling victims to such attacks. The influential concept of “The Pyramid of Pain” in the sphere of cybersecurity illustrates that the most effective security systems depend on understanding the ‘tactics, techniques and procedures’ (TTP) of the attackers. The ultimate goal of cybersecurity is to make attacks more costly and more painful for perpetrators, in other words, elevated to the ‘tough’ level shown at the top of the pyramid. Figure 1-1 Pyramid of Pain, David J Bianco A cybersecurity system based on ‘indicators of compromise’ (IoC) still remains very efficient. (IoCs would refer to one-dimensioned indicators such as malicious IPs or domains.) However, it is also true that attackers can easily secure then discard attack infrastructures using such simple indicators. TTPs are different. The attacker cannot easily obtain or discard TTPs. An attacker who has locked on a target needs to invest in learning and practicing TTPs to neutralize the target's security system. When moving on to the next attack, the attacker will tend to select targets on which the same TTPs can be applied. The attacker's TTPs by nature are heavily influenced by the characteristics of the targeted defense environment. As such, security practitioners must have an accurate understanding of their own defense environment. They must also approach the process and flow of attack from the strategic and tactical levels rather than as patterns or methods. In short, the defender’s security environment and the attacker’s TTPs must be scrutinized together. A defender who understands the attacker’s TTPs should be able to answer two things: 1) ‘Would the attacker's TTPs be able to penetrate the defender's environment?’ and 2) ‘If so, what defensive strategy can defeat the TTPs?’ The Korea Internet & Security Agency (KISA) identifies cyberattack TTPs through its incident response process and disseminates the process and countermeasures using the ATT&CK framework.[1] The various artifacts related to TTPs included in this report are merely tools to promote understanding. 1 A matrix showing the tactics and techniques used in actual attacks and response measures to them 1. Introduction 1. Introduction ----- #### 2. Overview In the first half of 2019, there were many ransomware infections targeting companies using AD (active directory). Security and convenience form two sides of the same coin. AD is efficient for managing a large number of systems, but careless account management may lead to the administrator rights being stolen, resulting in the entire internal network being compromised. The Korea Internet and Security Agency has, in the past, responded to this by compiling attacker techniques, malicious code similarities, etc. found during security incident investigations and distributed security warnings to companies using AD, etc. For some time, the activities of attackers in Korea decreased, but starting near the end of 2020, ransomware infections for AD environments began to once again occur in Korea. Corporations, upon hearing the news of the many ransomware incidents, realized the importance of backup and began regularly backing up important data. When corporations successfully backed up their data and did not react to the demands of the attackers, the attackers began leaking internal information and request payment for the leaked data. The infiltration techniques of attacks differ slightly based on the AD environment composition, but analysis of AD ransomware infections beginning in 2019 show that most used the same TTPs. This TTP#5 report has detailed the process closely from the initial infiltration of the AD environment to the achievement of the final goal. Through this, the aim is to be of aid to corporations who seek to inspect internal security systems and build defensive strategies. 2. Overview ----- At the reconnaissance stage, email stealer malicious code is used to leak Outlook data files from previously infected systems and extract email information. Some of such email accounts are used in APT attacks targeting corporations. ###### 02 Resource Development For internal transfers in an AD environment, commercial malicious tools such as Cobalt Strike, Ammyy Admin, Tiny Met, etc. are used. Resources to be used as control servers or locations for malicious code distribution are secured in advance, and attack tools for SMB side transfers are created. ###### 03 Initial Access Previously stolen email accounts are sent malicious files or spear-phishing email with malicious codes. In order to disguise them as normal email, the target’s work and corporation characteristics are utilized, which means the form and content of each email is always different. ###### 04 Execution Remote commands are executed through remote control malicious code and pipes are created between domain systems for carrying out of commands. The SMB port is used to run commands on other systems joined in the AD and the malicious codes are registered as a service. WMI, powershell, etc. are used to run commands on the remote device. ###### 05 Persistence In order to keep the remote control malicious code persistent on infected systems, services and registry registration are executed through Autorun. AD DC is taken over to distribute group policies so that all systems joined on the AD can be infected simultaneously. ###### 06 Command and Control The attackers use Ammyy RAT and Amadey Bot malicious code to execute various remote commands from an external C2 server and download additional malicious files. After taking over the base server, the SMB feature is used to run additional commands on other systems and download/execute malicious code. ###### 07 Privilege Escalation User/administrator domain account information is stolen to connect to other systems connected via AD. For password protection of shared folders during ransomware attacks, remote desktop session information is sometimes stolen as well. 2. Overview ----- The attacker uses AD server administrator account information gathered through password dump programs for internal transfers, or uses accounts additionally created. ###### 09 Defense Evasion Malicious code with a signed certificate or encryption is used to avoid detection from security programs, and msiexec is used to run the malicious code. After the attack is over, the malicious code, event logs, etc. are deleted. ###### 10 Discovery On initial infiltration, domain information is collected and a file directory search or network sharing exploration is used to detect the structure of the internal network. Internal transfer is used to collect and leak information of the infected system, and process or service information is also sometimes collected for ransomware infections. ###### 11 Lateral Movement Attackers use the acquired AD accounts to attempt RDP access on other systems, and the Windows filesharing protocol feature (SMB) is usually used to spread malicious code and cause additional infections. Powershell is used to run remote commands on other systems and download/run additional malicious code from the attacker’s external server, or the sharing folder of the base server is used to collect malicious code and the Windows administrator sharing feature is used to copy the malicious code and execute them to other systems. ###### 12 Collection The attacker gains AD administrator rights after the initial infiltration and repeats internal transfers until the server is dominated. Commercial tools such as Ping castle, powerkatz, etc. are used to collect information on processes, networks, accounts, etc. Remote control malicious code is then used to collect information about the target systems and the information is encoded in a self-implemented XOR before being leaked. ###### 13 Exfiltration The data extracted from an infected system's memory is saved as a single file and leaked to the attacker's C2 server. Email and account info collected from infected systems in the reconnaissance stage have been leaked to attacker C2 servers as well. ###### 14 Impact The services and processes that are running are shut down to avoid detection prior to ransomware distribution. Afterwards, AD administrator rights are used to distribute ransomware through AD DC policy distribution or SMB protocols are used to register services for ransomware infections. 2. Overview ----- 2. 2. Overview Resource Development Resource Development Reconnaissance ① ② ① Defesne Evasion ② Ini�al Access ①② Execu�on Defense Evasion ①② ⑤ Commnad and Control ①②③④ Execu�on ③④⑤ Discovoery ③ Persistence Creden�al Access ①②③ ①② Privilege Escala�onDefense Evasion ①② ①③④ Execu�on Lateral Movement ⑥ ①②③ Execu�on ③④⑤⑦⑧ Collec�on ①② Defense Evasion Persistence Privilege Escala�on Creden�al Access ①③④ ①②③ ①② ①② Lateral Movement Lateral Movement Exfiltra�on ①②③ ①②③ ① Execu�on Lateral Movement ③④⑤⑦⑧ ④ Privilege Escala�on Collec�on Exfiltra�on ③④ ①② ① Collec�on Defense Evasion ①② ⑥ Exfiltra�on Lateral Movement Privilege Escala�on ① ①②③ ⑤⑥ Collec�on Discovery Impact ①② ①②④⑤⑥⑦ ① Impact - Clicking each number navigates to the ② relevant details page. 2. Overview ①② Defense Evasion Collec�on Collec�on Creden�al Access Creden�al Access Execu�on Persistence Persistence ④ Impact Collec�on Collec�on Execu�on Figure 2-1 Attack summary diagram ①② Defense Evasion ----- 3. #### 3. ATT&CK Matrix ###### Reconnaissance Gather Victim Identity ###### Resource Information ###### Development Obtain Capabilities Develop Capabilities Compromise Infrastructure ###### Persistence Create Account ###### Privilege Escalation Create or Modify System Process Valid Accounts Boot or Logon Autostart Execution Abuse Elevation Control Mechanism Boot or Logon Initialization Scripts Account Token ATT & CK Matrix ----- 3. ATT & CK Matrix ###### Discovery Software Discovery Process Discovery Account Discovery File and Directory Discovery Network Share Discovery System Information Discovery System Owner/User Discovery ###### Impact Service Stop Data Encrypted for Impact ATT & CK Matrix ----- 3. ATT & CK Matrix Outlook Email authentication information (account, profile) email information ThunderBird Hacker Server File Signature ###### A ----- 3. ATT & CK Matrix ATT & CK Matrix ----- 3. ######  Develop Capabilities – Malware: Malicious code creation In order to spread internally through SMB, attackers use a malicious tool that is presumably self-developed. Malicious tools that use SMB Traces of malicious tool use (Malicious code logs) 10.123.170.231 : Payload direct copy FAILED (67), SM opened, Payload reverse copy FAILED (1073) 10.123.184.91 : Payload direct copy FAILED (112), SM opened, Payload reverse copy FAILED (1073) 10.201.10.145 : Payload direct copy FAILED (1326), SM open FAILED (5) 10.123.170.229 : Payload direct copy FAILED (67), SM opened, Payload reverse copy FAILED (1073) ... 10.201.10.83 : Payload direct-copied, SM opened, Service created, Service started, Service removed, Payload removed 10.201.10.84 : Payload direct-copied, SM opened, Service created, Service started, Service removed, Payload removed ######  Compromise Infrastructure – Server: Server resource acquisition ATT & CK Matrix ATT & CK Matrix ----- 3. ATT & CK Matrix ###### C ----- 3. ATT & CK Matrix ATT & CK Matrix malicious code distribution server malicious code ###### D ----- 3. ATT & CK Matrix .lnk disguising as ######  User Execution – Malicious link: Malicious link click ATT & CK Matrix malicious code ----- 3. ######  Command and Scripting Interpreter – Windows Commnad Shell: Using windows commands |Account creation|net user [account name] [password] /add| |---|---| |Account privilege setting|net localgroup administrators [account name] /add| |Process stopping|taskkill /IM [process name]| |Service stopping|net stop [service name]| |Service creation|sc create [malicious service name] binpath= [malicious code path]| |Service execution|sc start [malicious service name]| |Service removal|sc delete [malicious service name]| |Domain account check|net user /domain| |Delete event log|for /F \ “tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \“%1\”| |Creation of schedule|schtasks.exe /CREATE /XML C:\Programdata\[malicious schedule file name].xml /tn [malicious schedule name]| |Schedule execution|schtasks.exe /RUN /tn [malicious schedule name]| |Schedule stopping|schtasks.exe /END /tn [malicious schedule name]| |Schedule deletion|schtasks.exe /DELETE /tn [malicious schedule name] /F| |Process checking|tasklist| ATT & CK Matrix ----- 3. ######  Command and Scripting Interpreter – Powershell: Using windows Powershell ATT & CK Matrix ----- 3. |83|EC|Col3| |---|---|---| ATT & CK Matrix ----- 3. ######  System Services – Service Execution: Service execution ATT & CK Matrix ATT & CK Matrix ----- 3. ######  Inter-Process Communication: Communication between malicious processes ATT & CK Matrix ###### external Process status_dd21 status_2d19 ----- 3. |List of pipes used|Hacking tool| |---|---| |status_887 status_776 status_34513 status_a63b status_2d19 status_dd21|CobaltStrike| |svcctl samr lsarpc|PsExec| ATT & CK Matrix ----- 3. ######  Scheduled Task – Scheduled Task/Job: Execution via task scheduler |Creation of schedule|schtasks.exe /CREATE /XML C:\Programdata\[malicious schedule file name].xml /tn [malicious schedule name]| |---|---| |Schedule execution|schtasks.exe /RUN /tn [malicious schedule name]| |Schedule stopping|schtasks.exe /END /tn [malicious schedule name]| |Schedule deletion|schtasks.exe /DELETE /tn [malicious schedule name] /F| ATT & CK Matrix ----- 3. ######  Windows Management Instrumentation: Windows management tool ATT & CK Matrix ATT & CK Matrix ----- 3. |Account creation|%COMSPEC% /C echo net user [계정명] [패스워드] /add ^> %SYSTEMDRIVE%\ WINDOWS\Temp\[random_16].txt > \WINDOWS\Temp\[random_16].bat & %COMSPEC% /C start %COMSPEC% /C \WINDOWS\Temp\[random_16].bat| |---|---| |Account privilege setting|%COMSPEC% /C echo net localgroup administrators [계정명] /add ^> %SYSTEMDRIVE%\ WINDOWS\Temp\[random_16].txt > \WINDOWS\Temp\[random_16].bat & %COMSPEC% /C start %COMSPEC% /C \WINDOWS\Temp\[random_16].bat| ATT & CK Matrix ###### E ----- 3. ######  Create or Modify System Process – Windows Sevice: Maintaining persistence through service installation For malicious code that requires persistence maintenance, service start type is set to auto start. Ransomware malicious code auto start ######  Boot or Logon Autostart Execution- Registry Run Keys / Startup Folder: Autostart registration in registry and start folder ATT & CK Matrix ----- 3. ######  Boot or Logon Initialization Scripts: Network Logon Script: Autostart via group policy ATT & CK Matrix ATT & CK Matrix ----- 3. ###### F ----- 3. ######  Account Token Manipulation – Token Impersonation/Theft: Impersonation or theft of other tokens ATT & CK Matrix ATT & CK Matrix ###### username ----- 3. ######  Account Token Manipulation – Create Process with Token: Creation of processes with high- privilege tokens ATT & CK Matrix ----- 3. ######  Domain Policy Modification – Group Policy Modification: Group policy modification  Boot or Logon Initialization Scripts – Network Logon Script: Autostart via group policy ATT & CK Matrix ----- 3. ATT & CK Matrix ###### G ----- 3. ######  Create Account: Account creation ATT & CK Matrix ----- 3. |Type|Malicious code name| |---|---| |Normal program disguise|C:\ProgramData\Adobe\wsus.dll C:\ProgramData\Adobe\Setup\wsus.exe C:\Intel\localserv.exe C:\Intel\logon.exe C:\Intel\wsus.exe C:\hp\sysinfo.exe C:\hp\slog.exe C:\hp\AdFind.exe C:\hp\sage.exe C:\hp\wsus.exe| |Windows software disguise|C:\ProgramData\Microsofts HeIp\wsus.exe C:\ProgramData\Microsofts Help\wsus.exe C:\Windows\localserv.exe C:\Windows\tasks\wsusrv.exe| |Service name|IntelProtected| ATT & CK Matrix ###### H ----- 3. ######  Indicator Removal on Host – File Deletion: File deletion When being infected by a malicious code, if the same malicious code is installed, the previous copy is deleted. A file deletion script is used to erase traces. Infected system Installation New Existing Malware Malicious Code Deletion File deletion script del “C:\hp\slog.exe” if exist “C:\hp\slog.exe” goto R del “ex.bat” ######  Indicator Removal on Host – Clear Windows Event Logs: Event log deletion ATT & CK Matrix New Existing Malware ----- 3. ######  Signed Binary Proxy Execution – Msiexec: Malicious code installation through msiexec ATT & CK Matrix Malicious code distribution site ATT & CK Matrix ----- 3. ######  Deobfuscate/Decode Files for information: File/information deobfuscation and decoding ATT & CK Matrix Find Resource (Resource A) Get (Resource A) ----- 3. ATT & CK Matrix subt idx index ++ # { OX564 ATT & CK Matrix ###### Base index ----- 3. |QHActivesDEFENSE.exe|QHSAFETRAY.exe|QHWATCHDOG.exe|CMDAGENT.exe| |---|---|---|---| |CIS.exe|V3LIGHT.exe|V3MAIN.exe|V3SP.exe| |SPIDERAGENT.exe|DWENGINE.exe|DWARKDAEMON.exe|dbsnmp.exe| |steam.exe|PNTMON.exe|dbeng50.exe|Powerpnt.exe| |firefoxonfig.exe|mspub.exe|mysqld-opt.exe|isqlplussv.exe| |onenote.exe|oautoupds.exe||| |McAfeeEngineService|Symantec System Recovery|SepMasterService|tmlisten| |---|---|---|---| |NetMsmqActivator|MsExchangeMGMT|BackupExecDeviceMedia Service|ShMonitor| |VeeamRESTSvc|BackupExecVSSProvider|MsDtsServer|VeeamDeploySvc| |SQLAgent$PROD|Sophos Message Router|McShield|BackupExecJobEngine| |swi_filter|Sophos AutoUpdate Service|Sophos MCS Agent|MsDtsServer100| |IMAP4Svc|SQLSERVERAGENT|SQLsafe Filter Service|Antivirus| |DCAgent|SQLAgent$BACKUPExec|MSSQLSERVER|Zoolz 2 Service| |mfevtp|SQLAgent$VEEAMMSQL 2008R2|SQLTELEMETRY$ECWDB2|MSSQL$SHAREPOINT| |AcronisAgent|Sophos File Scanner Service|ReportServer$TPS|MSSQLFDLauncher$TPS| |MSSQL$TPS|UI0Detect|POP3Svc|| |alert|alsvc.|archiv|armsvc|boanet|busine|cisvc.|clean.|cmd.|ex conhos| |---|---|---|---|---|---|---|---|---|---| |csrss.|dwm.ex|iastor|iexplo|inetin|java.e|Imigua|lms.ex|logm|ei lsass.| |lsm.ex|ndagen|node.e|nssm.e|ppsgne|pxcont|python|ramain|safe|st savadm| |savser|sdcser|search|servic|shell.|smss.e|snarec|sntpse|soph|os spools| |sqlbro|sqlwri|sspser|svchos|swc_se|swi_se|syslog|tasken|taskh|o timesr| |uns.ex|update|winini|winlog|winvnc|wmiprv|xsauth|dllhos|exce|l. explor| |mmc.ex|csrs.e|clamsc|regsvr|mobsyn|rundll|runonc|winwor|syste|m notepa| |taskmg|||||||||| ATT & CK Matrix ###### I ----- 3. ######  Account Discovery – Domain Account: Domain account discovery In order to check for an AD environment, the malicious code uses the command “net user /domain.” The result of the command determines whether to continue the infection. 결과에 WORKGROUP 이란 단어 포함시 결과에 WORKGROUP이란 단어 불포함시 ######  File and Directory Discovery: File/directory discovery  Network Share Discovery: Network sharing discovery |Col1|Excluded folder names|Col3| |---|---|---| |Chrome|All Users|Mozilla| |ProgramData|Recycle.bin|AhnLab| |Microsoft|Program files (x86)|Program Files| |Windows|BOOTMGR|RECOVERY| |SOPHOS|TOR BROWSER|SYSTEM VOLUME INFORMATION| |PERFLOGS|WINNT|APPDATA| |ClopReadMe.txt|AUTOEXEC.bat|ntldr| |---|---|---| |autoexec.bat|boot.ini|NTDETECT.COM| |netuser.ini|DESKTOP|desktop.ini| |autorun.inf|iconcache.db|bootsect.bak| |ntuser.dat.log|thumbs.db|ntuser.dat| |.dll|.exe|.sys| |---|---|---| |.Clop|.OCX|.lnk| |.Cl0p .MSI|.ICO .CHM|.INI .HLF| |.LNG .BAT|.TTF|.CMD| ATT & CK Matrix In order to check for an AD environment, the malicious code uses the command “net user /domain.” The result of the command determines whether to continue the infection. 결과에 WORKGROUP 이란 단어 포함시 Malicious code shutdown malicious code 결과에 WORKGROUP이란단어 불포함시 operation ATT & CK Matrix ----- 3. |Value name|Description| |---|---| |id|Unique ID value| |os|System OS information| |priv|Malicious code execution privileges UAC| |cred|User path| |pcname|System name| |avname|Vaccine information| |build_time|Malicious code execution time| |card|NFC information| |Armenian|Kazakh|Tajik| |---|---|---| |Azerbaijani|Kyrgyz|Turkmen| |Belarusian|Russian|Ukrainian| |Georgian|Swahili|Uzbek| ATT & CK Matrix ----- 3. ATT & CK Matrix ###### J ----- 3. ######  Remote Services – Remote Desktop Protocol: Remote desktop connection protocol The acquired AD account is used to attempt a remote desktop connection. RDP attack RDP attack Account acquisition target system target system RDP attack RDP attack infiltration target system success RDP attack RDP attack Account acquisition target system target system ######  Remote Services – Windows Remote Management: Windows remote management ATT & CK Matrix Base 1. Execute Powershell external server C2 2. Malicious code server 2 target system target system infiltration success target system ----- 3. ATT & CK Matrix ######  Lateral Tool Transfer: Lateral tool transfer ATT & CK Matrix Base server Shared folder account theft malicious code / tunneling malicious code / information theft malicious code ----- 3. |pingcastle.exe|AD environment network information collection and weakness information discovery| |---|---| |powerkatz.dll|AD environment network information collection and weakness information discovery| |Process information collection tool procexp64.exe|| ATT & CK Matrix ATT & CK Matrix ----- 3. |Value name|Description| |---|---| |id|Unique ID value| |os|System OS information| |priv|Malicious code execution privileges + UAC activation status| |pred|User path| |pcname|System name| |avname|Vaccine information| |build_time|Malicious code execution time| |card|NFC information| ATT & CK Matrix ######  Archive Collected Data – Archive via Custom Method: Data compression through user implemented encryption algorithms ATT & CK Matrix ----- 3. ATT & CK Matrix DAT DAT ###### rj_log.dat ###### L ----- 3. |Service stopping|net stop [service name] /y| |---|---| |Process shutdown|taskkill /IM[process name] /F| |Type|Name| |---|---| |Service|McAfeeEngineService, Symantec System Recovery, NetMsmqActivator, MSExchangeMGMT, SepMasterService, tmlisten, BackupExecDeviceMediaService, ShMonitor, VeeamRESTSvc, BackupExecVSSProvider, MsDTsServer, VeeamDepolySvc, SQLAgent$PROD, Sophos Message Router, McShield, BackupExecJobEngine, swi_filter, Sophos AutoUpdate Service, Sophos MCS Agent, MsDtsServer100, IMAP4Svc, SQLSERVERAGENT, SQLsafe Filter Service, Antivirus, DCAgent, SQLAgent$bkupexec, MSSQLSERVER,| |Process|dbsnmp.exe, steam.exe, PNTMon.exe, dbeng50.exe, powerpnt.exe, firefoxonfig.exe, mspub.exe, mysqld-opt.exe, isplplussv.exe wordpad.exe, steam.exe, onenote.exe, mysqld.exe, outlook.exe| ATT & CK Matrix ###### M ----- 3. |Ransomware distribution policy script|Ransomware service creation through SMB| |---|---| |[Startup] 0CmdLine=cmd.exe 0Parameters=/c "copy /y \\Windows\ SysVol\[DomainName]\Policies\[PolicyGUID]\ Machine\Scripts\Startup\wsusrv.exe C:\ WINDOWS\tasks\wsusrv.exe && sc create msdtcstefsrv binPath= "C:\WINDOWS\tasks\ wsusrv.exe" start= auto && sc start msdtcstefsrv"|시스템에 서비스가 설치되었습니다. 서비스 이름: WinTempLocal 서비스 파일 이름: C:₩windows₩localserv.exe 서비스 유형: 사용자 모드 서비스 서비스 시작 유형: 자동 시작 서비스 계정: LocalSystem| ATT & CK Matrix ----- 3. ATT & CK Matrix ATT & CK Matrix ###### N ----- 3. ######  Protocol Tunneling: protocol tunneling ATT & CK Matrix ATT & CK Matrix ----- 4. #### 4. Conclusion ###### 【Defender‘s Insight】 The Korea Internet and Security Agency has taken a look at the types of ransomware infection attacks that occurred in AD environments. Attackers used spear-phishing infiltration, DC server domination after account theft, and SMB internal transfer to infect using ransomware. Such accidents cause major damage including the payment demanded by the attacker, damage to the corporation’s image, system recovery costs, etc. and an AD environment being infected leads to the entire system being dominated and additional damage including leaking of important corporate information. Hacking attempts against corporations will continue to occur, and corporations using AD will continue to be targeted. Each corporation has a unique composition, privilege management, security policies, etc. and the infiltration method and detailed attack methods could change, but privilege elevation, account theft, SMB internal transfer, etc. are commonalities found in most AD incidents. As such, corporations using an AD environment must place priority on account management and monitoring. An attacker that succeeds in initial infiltration will move with administrator account theft in mind, searching the internal network; stealing normal user accounts will not aid in the domination of the internal network. Even if accounts are stolen, the user and service account privileges must be kept separate so that the AD domain controller server cannot be dominated. The administrator group account use should be minimized, and systems forced to use an administrator account should be regularly monitored. In the case of AD DC in particular, a great deal of attention must be paid to registered services and group policy lists to check for suspicious activity. Major system logs should be regularly backed up, and if account theft tools are detected or pipe communication is found, the copy system must be immediately inspected. KISA has published a detailed tech report on AD environment incidents in early 2019. That report dealt with a single incident and focused on attack techniques, procedures, malicious code analysis, etc. while this report deals with various incidents that occurred between 2019 and 2021, listing the attack methods of attackers according to an ATT&CK matrix. Even if the attack group attack types change in the future, the attack methods used against AD environments will not vary greatly. Understanding and ascertaining all the TTP strategies in the previous tech report and the current one will be of great help in application to internal corporate environments, prediction of security threats, and reorganization of security. 4. Conclusion ----- -----