Carrie Roberts
511bb87af2
* first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * first draft at dependencies * lowercase url
126 lines
3.2 KiB
Markdown
126 lines
3.2 KiB
Markdown
# T1069 - Permission Groups Discovery
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069)
|
|
<blockquote>Adversaries may attempt to find local system or domain-level groups and permissions settings.
|
|
|
|
### Windows
|
|
|
|
Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the [Net](https://attack.mitre.org/software/S0039) utility.
|
|
|
|
### Mac
|
|
|
|
On Mac, this same thing can be accomplished with the <code>dscacheutil -q group</code> for the domain, or <code>dscl . -list /Groups</code> for local groups.
|
|
|
|
### Linux
|
|
|
|
On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.
|
|
|
|
### Office 365 and Azure AD
|
|
|
|
With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance)
|
|
|
|
Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command <code>az ad user get-member-groups</code> will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Permission Groups Discovery](#atomic-test-1---permission-groups-discovery)
|
|
|
|
- [Atomic Test #2 - Basic Permission Groups Discovery Windows](#atomic-test-2---basic-permission-groups-discovery-windows)
|
|
|
|
- [Atomic Test #3 - Permission Groups Discovery PowerShell](#atomic-test-3---permission-groups-discovery-powershell)
|
|
|
|
- [Atomic Test #4 - Elevated group enumeration using net group](#atomic-test-4---elevated-group-enumeration-using-net-group)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Permission Groups Discovery
|
|
Permission Groups Discovery
|
|
|
|
**Supported Platforms:** macOS, Linux
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
```
|
|
dscacheutil -q group
|
|
dscl . -list /Groups
|
|
groups
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Basic Permission Groups Discovery Windows
|
|
Basic Permission Groups Discovery for Windows
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
```
|
|
net localgroup
|
|
net group /domain
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Permission Groups Discovery PowerShell
|
|
Permission Groups Discovery utilizing PowerShell
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| user | User to identify what groups a user is a member of | string | administrator|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
```
|
|
get-localgroup
|
|
get-ADPrincipalGroupMembership #{user} | select name
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Elevated group enumeration using net group
|
|
Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
```
|
|
net group /domai 'Domain Admins'
|
|
net groups 'Account Operators' /doma
|
|
net groups 'Exchange Organization Management' /doma
|
|
net group 'BUILTIN\Backup Operators' /doma
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|