← BACK TO REGISTRY

Graylog

SIEM — DOMAIN COMPROMISE DETECTION
VERIFIED: 2024-12-28
PROOFS: 18
CAMPAIGN: DOMAINATRIX
👑
DOMAINATRIX™ — PROOFREGISTER™ CUSTOM CAMPAIGN
Full Active Directory domain compromise kill chain demonstrating detection coverage across 8 TTPs spanning Initial Access through Exfiltration. Custom campaign developed for Graylog POC validation.
CRYPTOGRAPHIC PROOF
VERIFIED ON-CHAIN
PR-2024-00712
SHA-256: 3a7f9c2e8d1b4a6f5c0e3d2a1b9c8e7f6d5a4b3c2e1f0a9b8c7d6e5f4a3b2c1d
VERIFIED THREAT COVERAGE
DOMAINATRIX T1078 T1110.003 T1003.003 T1083 T1087.002 T1021.002 T1558.001 T1005
DOMAINATRIX KILL CHAIN
1
INITIAL ACCESS
2
CREDENTIAL ACCESS
3
DISCOVERY
4
LATERAL MOVEMENT
5
EXFILTRATION
TTP BREAKDOWN — MITRE ATT&CK
T1078
Valid Accounts
CrackMapExec SMB login with compromised domain credentials to establish initial foothold.
INITIAL ACCESS
T1110.003
Password Spraying
Credential enumeration using users.txt and passwords.txt against domain controllers.
CREDENTIAL ACCESS
T1003.003
OS Credential Dumping: NTDS
Atomic Red Team execution for NTDS.dit extraction and domain hash dumping.
CREDENTIAL ACCESS
T1083
File and Directory Discovery
Recursive directory enumeration using dir /s /b with findstr filtering.
DISCOVERY
T1087.002
Account Discovery: Domain Account
Domain user and group enumeration scripts for privilege mapping.
DISCOVERY
T1021.002
SMB/Windows Admin Shares
Impacket PSExec for remote command execution via SMB (port 445).
LATERAL MOVEMENT
T1558.001
Golden Ticket
Mimikatz kerberos::golden for persistent domain-wide access via forged TGTs.
CREDENTIAL ACCESS
T1005
Data from Local System
PowerShell Compress-Archive for staging and exfiltration of sensitive data.
EXFILTRATION
ATTACK TOOLS DETECTED
CrackMapExec
Impacket PSExec
Mimikatz
Atomic Red Team
PowerShell