2018-05-25 12:21:10 -04:00
|
|
|
---
|
|
|
|
|
attack_technique: T1069
|
|
|
|
|
display_name: Permission Groups Discovery
|
|
|
|
|
|
|
|
|
|
atomic_tests:
|
|
|
|
|
- name: Permission Groups Discovery
|
|
|
|
|
description: |
|
|
|
|
|
Permission Groups Discovery
|
|
|
|
|
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- macos
|
|
|
|
|
- linux
|
|
|
|
|
|
|
|
|
|
executor:
|
|
|
|
|
name: sh
|
|
|
|
|
command: |
|
|
|
|
|
dscacheutil -q group
|
|
|
|
|
dscl . -list /Groups
|
|
|
|
|
groups
|
2018-07-19 19:52:31 -05:00
|
|
|
|
2019-09-17 14:09:03 -05:00
|
|
|
- name: Basic Permission Groups Discovery Windows
|
2018-07-19 19:52:31 -05:00
|
|
|
description: |
|
2019-09-17 14:09:03 -05:00
|
|
|
Basic Permission Groups Discovery for Windows
|
2018-07-19 19:52:31 -05:00
|
|
|
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
|
|
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
2019-09-03 07:34:42 -06:00
|
|
|
elevation_required: false
|
2018-07-19 19:52:31 -05:00
|
|
|
command: |
|
|
|
|
|
net localgroup
|
|
|
|
|
net group /domain
|
|
|
|
|
|
|
|
|
|
- name: Permission Groups Discovery PowerShell
|
|
|
|
|
description: |
|
|
|
|
|
Permission Groups Discovery utilizing PowerShell
|
|
|
|
|
|
|
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
|
|
|
|
|
|
|
|
|
input_arguments:
|
|
|
|
|
user:
|
|
|
|
|
description: User to identify what groups a user is a member of
|
|
|
|
|
type: string
|
|
|
|
|
default: administrator
|
|
|
|
|
|
|
|
|
|
executor:
|
|
|
|
|
name: powershell
|
2019-09-03 07:34:42 -06:00
|
|
|
elevation_required: false
|
2018-07-19 19:52:31 -05:00
|
|
|
command: |
|
|
|
|
|
get-localgroup
|
|
|
|
|
get-ADPrinicipalGroupMembership #{user} | select name
|
2019-09-17 14:09:03 -05:00
|
|
|
atomic_tests:
|
|
|
|
|
|
|
|
|
|
- name: Elevated group enumeration using net group
|
|
|
|
|
description: |
|
|
|
|
|
Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
|
2018-07-19 19:52:31 -05:00
|
|
|
|
2019-09-17 14:09:03 -05:00
|
|
|
supported_platforms:
|
|
|
|
|
- windows
|
2018-07-19 19:52:31 -05:00
|
|
|
|
2019-09-17 14:09:03 -05:00
|
|
|
executor:
|
|
|
|
|
name: command_prompt
|
|
|
|
|
elevation_required: false
|
|
|
|
|
command: |
|
|
|
|
|
net group /domai 'Domain Admins'
|
|
|
|
|
net groups 'Account Operators' /doma
|
|
|
|
|
net groups 'Exchange Organization Management' /doma
|
|
|
|
|
net group 'BUILTIN\Backup Operators' /doma
|
