atomic-red-team/atomics/T1069.001/T1069.001.yaml

attack_technique: T1069.001
display_name: 'Permission Groups Discovery: Local Groups'
atomic_tests:
- name: Permission Groups Discovery (Local)
  auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae
  description: |
    Permission Groups Discovery
  supported_platforms:
  - linux
  - macos
  executor:
    command: |
      if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
      if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
      if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
      if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi;
      if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi;
      cat /etc/group
    name: sh
- name: Basic Permission Groups Discovery Windows (Local)
  auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8
  description: |
    Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
    information will be displayed.
  supported_platforms:
  - windows
  executor:
    command: |
      net localgroup
      net localgroup "Administrators"
    name: command_prompt
- name: Permission Groups Discovery PowerShell (Local)
  auto_generated_guid: a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
  description: |
    Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
    information will be displayed.
  supported_platforms:
  - windows
  executor:
    command: |
      get-localgroup
      Get-LocalGroupMember -Name "Administrators"
    name: powershell
- name: SharpHound3 - LocalAdmin
  auto_generated_guid: e03ada14-0980-4107-aff1-7783b2b59bb1
  description: |
    This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
  supported_platforms:
  - windows
  input_arguments:
    domain:
      description: FQDN of the targeted domain
      type: string
      default: $env:UserDnsDomain
    sharphound_path:
      description: SharpHound Windows executable
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\SharpHound.exe'
    output_path:
      description: Output for SharpHound
      type: path
      default: '$env:TEMP\SharpHound\'
  dependency_executor_name: powershell
  dependencies:
  - description: |
      SharpHound binary must exist on disk and at specified location (#{sharphound_path}).
      And the computer must be domain joined (implicit authentication).
    prereq_command: |
      if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
  executor:
    name: powershell
    elevation_required: false
    command: |
      New-Item -Path "#{output_path}" -ItemType Directory > $null
      & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
    cleanup_command: |
      Remove-Item -Recurse #{output_path} -ErrorAction Ignore

- name: Wmic Group Discovery
  auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2
  description: |
    Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.
  supported_platforms:
  - windows
  executor:
    command: |
      wmic group get name
    name: command_prompt

- name: WMIObject Group Discovery
  auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13
  description: |
    Utilizing PowerShell cmdlet - get-wmiobject, to enumerate local groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system.
  supported_platforms:
  - windows
  executor:
    command: |
      Get-WMIObject Win32_Group
    name: powershell
- name: Permission Groups Discovery for Containers- Local Groups
  auto_generated_guid: 007d7aa4-8c4d-4f55-ba6a-7c965d51219c
  description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
  supported_platforms:
  - containers
  dependency_executor_name: sh
  dependencies:
  - description: Verify docker is installed.
    prereq_command: |
      which docker
    get_prereq_command: |
      if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
  - description: Verify docker service is running.
    prereq_command: |
      sudo systemctl status docker  --no-pager
    get_prereq_command: |
      sudo systemctl start docker
  executor:
    command: |-
      docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
      docker run --name t1069_container --rm -d -t t1069
      docker exec t1069_container ./test.sh
    cleanup_command: |-
      docker stop t1069_container
      docker rmi -f t1069
    name: sh