security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
511bb87af29fb302dbd9e85bd93c2c00a47953ba
atomic-red-team/atomics/T1069/T1069.yaml
T
Brian Thacker 0c18a6ce98 T1069 Typo correction (#711) 
Small typo. Changed get-ADPrinicipalGroupMembership to get-ADPrincipalGroupMembership.
2019-12-09 16:00:30 -07:00

70 lines
1.5 KiB
YAML
Raw Blame History

---
attack_technique: T1069
display_name: Permission Groups Discovery
atomic_tests:
- name: Permission Groups Discovery
description: |
Permission Groups Discovery
supported_platforms:
- macos
- linux
executor:
name: sh
command: |
dscacheutil -q group
dscl . -list /Groups
groups
- name: Basic Permission Groups Discovery Windows
description: |
Basic Permission Groups Discovery for Windows
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
net localgroup
net group /domain
- name: Permission Groups Discovery PowerShell
description: |
Permission Groups Discovery utilizing PowerShell
supported_platforms:
- windows
input_arguments:
user:
description: User to identify what groups a user is a member of
type: string
default: administrator
executor:
name: powershell
elevation_required: false
command: |
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
- name: Elevated group enumeration using net group
description: |
Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma
Reference in New Issue View Git Blame Copy Permalink