atomic-red-team/atomics/T1069.001/T1069.001.md

# T1069.001 - Permission Groups Discovery: Local Groups

## Description from ATT&CK

> Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
> 
> Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.

[Source](https://attack.mitre.org/techniques/T1069/001)

## Atomic Tests

- [Atomic Test #1: Permission Groups Discovery (Local)](#atomic-test-1-permission-groups-discovery-local)
- [Atomic Test #2: Basic Permission Groups Discovery Windows (Local)](#atomic-test-2-basic-permission-groups-discovery-windows-local)
- [Atomic Test #3: Permission Groups Discovery PowerShell (Local)](#atomic-test-3-permission-groups-discovery-powershell-local)
- [Atomic Test #4: SharpHound3 - LocalAdmin](#atomic-test-4-sharphound3---localadmin)
- [Atomic Test #5: Wmic Group Discovery](#atomic-test-5-wmic-group-discovery)
- [Atomic Test #6: WMIObject Group Discovery](#atomic-test-6-wmiobject-group-discovery)
- [Atomic Test #7: Permission Groups Discovery for Containers- Local Groups](#atomic-test-7-permission-groups-discovery-for-containers--local-groups)

### Atomic Test #1: Permission Groups Discovery (Local)

Permission Groups Discovery

**Supported Platforms:** Linux, macOS

**auto_generated_guid:** `952931a4-af0b-4335-bbbe-73c8c5b327ae`

#### Attack Commands: Run with `sh`!

```sh
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi;
if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi;
cat /etc/group
```

### Atomic Test #2: Basic Permission Groups Discovery Windows (Local)

Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.

**Supported Platforms:** Windows

**auto_generated_guid:** `1f454dd6-e134-44df-bebb-67de70fb6cd8`

#### Attack Commands: Run with `command_prompt`!

```cmd
net localgroup
net localgroup "Administrators"
```

### Atomic Test #3: Permission Groups Discovery PowerShell (Local)

Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.

**Supported Platforms:** Windows

**auto_generated_guid:** `a580462d-2c19-4bc7-8b9a-57a41b7d3ba4`

#### Attack Commands: Run with `powershell`!

```powershell
get-localgroup
Get-LocalGroupMember -Name "Administrators"
```

### Atomic Test #4: SharpHound3 - LocalAdmin

This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)

**Supported Platforms:** Windows

**auto_generated_guid:** `e03ada14-0980-4107-aff1-7783b2b59bb1`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | FQDN of the targeted domain | string | $env:UserDnsDomain|
| sharphound_path | SharpHound Windows executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;SharpHound.exe|
| output_path | Output for SharpHound | path | $env:TEMP&#92;SharpHound&#92;|

#### Attack Commands: Run with `powershell`!

```powershell
New-Item -Path "#{output_path}" -ItemType Directory > $null
& "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
```

#### Cleanup Commands

```powershell
Remove-Item -Recurse #{output_path} -ErrorAction Ignore
```

#### Dependencies: Run with `powershell`!

##### Description: SharpHound binary must exist on disk and at specified location (#{sharphound_path}).
And the computer must be domain joined (implicit authentication).

###### Check Prereq Commands

```powershell
if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
```

###### Get Prereq Commands

```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
```

### Atomic Test #5: Wmic Group Discovery

Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.

**Supported Platforms:** Windows

**auto_generated_guid:** `7413be50-be8e-430f-ad4d-07bf197884b2`

#### Attack Commands: Run with `command_prompt`!

```cmd
wmic group get name
```

### Atomic Test #6: WMIObject Group Discovery

Utilizing PowerShell cmdlet - get-wmiobject, to enumerate local groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system.

**Supported Platforms:** Windows

**auto_generated_guid:** `69119e58-96db-4110-ad27-954e48f3bb13`

#### Attack Commands: Run with `powershell`!

```powershell
Get-WMIObject Win32_Group
```

### Atomic Test #7: Permission Groups Discovery for Containers- Local Groups

Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.

**Supported Platforms:** Containers

**auto_generated_guid:** `007d7aa4-8c4d-4f55-ba6a-7c965d51219c`

#### Attack Commands: Run with `sh`!

```sh
docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
docker run --name t1069_container --rm -d -t t1069
docker exec t1069_container ./test.sh
```

#### Cleanup Commands

```sh
docker stop t1069_container
docker rmi -f t1069
```

#### Dependencies: Run with `sh`!

##### Description: Verify docker is installed.

###### Check Prereq Commands

```sh
which docker
```

###### Get Prereq Commands

```sh
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
```

##### Description: Verify docker service is running.

###### Check Prereq Commands

```sh
sudo systemctl status docker  --no-pager
```

###### Get Prereq Commands

```sh
sudo systemctl start docker
```