diff --git a/atomics/T1069/T1069.md b/atomics/T1069/T1069.md index d6b33e02..4c136186 100644 --- a/atomics/T1069/T1069.md +++ b/atomics/T1069/T1069.md @@ -66,6 +66,7 @@ Basic Permission Groups Discovery for Windows ``` net localgroup net group /domain +net group "domain admins" /domain ``` @@ -103,7 +104,7 @@ get-ADPrincipalGroupMembership #{user} | select name
## Atomic Test #4 - Elevated group enumeration using net group -Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups +Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups **Supported Platforms:** Windows @@ -111,10 +112,10 @@ Runs 'net group' command including command aliases and loose typing to simulate #### Attack Commands: Run with `command_prompt`! ``` -net group /domai 'Domain Admins' -net groups 'Account Operators' /doma -net groups 'Exchange Organization Management' /doma -net group 'BUILTIN\Backup Operators' /doma +net group /domai "Domain Admins" +net groups "Account Operators" /doma +net groups "Exchange Organization Management" /doma +net group "BUILTIN\Backup Operators" /doma ``` diff --git a/atomics/index.yaml b/atomics/index.yaml index 68d0f301..214b88a2 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -17860,6 +17860,7 @@ discovery: command: | net localgroup net group /domain + net group "domain admins" /domain - name: Permission Groups Discovery PowerShell description: 'Permission Groups Discovery utilizing PowerShell @@ -17878,8 +17879,8 @@ discovery: get-localgroup get-ADPrincipalGroupMembership #{user} | select name - name: Elevated group enumeration using net group - description: 'Runs ''net group'' command including command aliases and loose - typing to simulate enumeration/discovery of high value domain groups + description: 'Runs "net group" command including command aliases and loose typing + to simulate enumeration/discovery of high value domain groups ' supported_platforms: @@ -17888,10 +17889,10 @@ discovery: name: command_prompt elevation_required: false command: | - net group /domai 'Domain Admins' - net groups 'Account Operators' /doma - net groups 'Exchange Organization Management' /doma - net group 'BUILTIN\Backup Operators' /doma + net group /domai "Domain Admins" + net groups "Account Operators" /doma + net groups "Exchange Organization Management" /doma + net group "BUILTIN\Backup Operators" /doma T1057: technique: x_mitre_data_sources: