security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1069/T1069.yaml
T
JB cb7b3f4650 Added 'Elevated group enumeration using net group' + minor titles edit (#567) 
* Added 'Elevated group enumeration using net group' + minor fix

added a new atomic ( 4), and updated attack 2 name to more clearly reflect what it is doing versus the newly added atomic (which has commands more specific to high value, elevated groups, and as well simple obfuscation)

* minor syntax fix; description clarification

* further minor clarifications to description and title
2019-09-17 13:09:03 -06:00

71 lines
1.6 KiB
YAML
Raw Blame History

---
attack_technique: T1069
display_name: Permission Groups Discovery
atomic_tests:
- name: Permission Groups Discovery
description: |
Permission Groups Discovery
supported_platforms:
- macos
- linux
executor:
name: sh
command: |
dscacheutil -q group
dscl . -list /Groups
groups
- name: Basic Permission Groups Discovery Windows
description: |
Basic Permission Groups Discovery for Windows
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
net localgroup
net group /domain
- name: Permission Groups Discovery PowerShell
description: |
Permission Groups Discovery utilizing PowerShell
supported_platforms:
- windows
input_arguments:
user:
description: User to identify what groups a user is a member of
type: string
default: administrator
executor:
name: powershell
elevation_required: false
command: |
get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name
atomic_tests:
- name: Elevated group enumeration using net group
description: |
Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma
Reference in New Issue View Git Blame Copy Permalink