security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0e35397f3fa9f9eb293bbc69eceddead034cf9b8
atomic-red-team/atomics/T1069/T1069.yaml
T
Andrew Beers 0a7e7c7ef5 Update completion descriptions (#919) 
* T1037 Update Descriptions

* add updates

* remove powershell specific terminology

* remove powershell specific terminology

* correct redirect

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-03-31 18:24:55 -06:00

74 lines
2.0 KiB
YAML
Raw Blame History

---
attack_technique: T1069
display_name: Permission Groups Discovery
atomic_tests:
- name: Permission Groups Discovery
description: |
Permission Groups Discovery
supported_platforms:
- macos
- linux
executor:
name: sh
command: |
dscacheutil -q group
dscl . -list /Groups
groups
- name: Basic Permission Groups Discovery Windows
description: |
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
net localgroup
net group /domain
net group "domain admins" /domain
- name: Permission Groups Discovery PowerShell
description: |
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
supported_platforms:
- windows
input_arguments:
user:
description: User to identify what groups a user is a member of
type: string
default: administrator
executor:
name: powershell
elevation_required: false
command: |
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
- name: Elevated group enumeration using net group
description: |
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
net group /domai "Domain Admins"
net groups "Account Operators" /doma
net groups "Exchange Organization Management" /doma
net group "BUILTIN\Backup Operators" /doma
Reference in New Issue View Git Blame Copy Permalink