Wednesday, October 5, 2022

Tools, Tools Everywhere!

How do we get from hunting and detecting Tools (and IOC´s) to actually trying to detect some TTPs and preferably the big one TACTICS?

From Mitre Attack, detection on Account Discovery:Domain Account

Lets look at the definitions first (I steal them from Ryan Stillions Blog on TTPs)



    "the science and art of disposing and maneuvering forces in combat" 

    "the art or skill of employing available means to accomplish an end"



     "a way of doing something by using special knowledge or skill" 

     "the way that a person performs basic physical movements or skills"

I’m a practical guy so I like to find Tactics by thinking if “this is a mean to an end” and sort of have an idea if that is detectable.

TI Report to Tactics

Lets grab the latest TheDFIRReport (from 2022-09-16 BumbleBee: Round Two and see if we can find any Tactics.

Shoutout to TheDFIRReport for a great job and for sharing their work!

Lets take a few findings from the report and see if we can find Tactics:


C:\Windows\system32\cmd.exe /C net group "domain admins" /domain

Proposed tactic:

Querying the/a DomainController for users in the “domain admins” group


C:\Windows\system32\cmd.exe /C nltest /dclist:

Proposed Tactic:

Query the/a domain controller to get a list of all domain controllers


C:\Windows\system32\cmd.exe /C af.exe -f "objectcategory=computer" > ad_computers.txt

Proposed Tactic:

Query the domain controller for all computers in the domain


C:\programdata\procdump64.exe -accepteula -ma lsass.exe C:\programdata\lsass.dmp

Proposed Tactic:

Get credentials by reading lsass.exe process memory


net  localgroup Administrators sql_admin /ADD

Proposed Tactic:

Add user to the local Administrators group


A remote service was created on one of the workstations in order to dump lsass

Proposed Tactic:

Executing code through running a service on remote host


So we have been able to(hopefully) find some Tactics based on some findings in a Threat Intel report, TheDFIRReport.

By rewriting the findings into Tactics I hope to be able to write detection on a much higher level that Tools and once and for all leave the hunt for new tools behind me(at least in theory).

The reasoning behind that was explained in my last blog post “Tactics, the killer of YOLO Command lines?” Where Pyramid of Pain and the DML model was discussed.

If anyone have comments on my Tactics please let me know. Otherwise I will look into making detections on these for my nest blog post.


TheDFIRReport: BumbleBee: Round Two 

Ryan Stillions: on TTPs 

Net group command 

Net command 

Adfind usage 


Malforsec: Tactics, the killer of YOLO Command lines?

Mitre Att&ck: Account Discovery:Domain Account