security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5259c936c1f26f7ff162ca00640db226bc09aed0
atomic-red-team/atomics/T1069/T1069.md
T
CircleCI Atomic Red Team doc generator 5332936f8f Generate docs from job=validate_atomics_generate_docs branch=master
2019-11-11 01:55:17 +00:00

3.1 KiB
Raw Blame History

T1069 - Permission Groups Discovery

Description from ATT&CK

Adversaries may attempt to find local system or domain-level groups and permissions settings.

Windows

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

Mac

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

Linux

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

Office 365 and Azure AD

With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance)

Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command az ad user get-member-groups will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)

Atomic Tests


Atomic Test #1 - Permission Groups Discovery

Permission Groups Discovery

Supported Platforms: macOS, Linux

Run it with sh!

dscacheutil -q group
dscl . -list /Groups
groups


Atomic Test #2 - Basic Permission Groups Discovery Windows

Basic Permission Groups Discovery for Windows

Supported Platforms: Windows

Run it with command_prompt!

net localgroup
net group /domain


Atomic Test #3 - Permission Groups Discovery PowerShell

Permission Groups Discovery utilizing PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user User to identify what groups a user is a member of string administrator

Run it with powershell!

get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name


Atomic Test #4 - Elevated group enumeration using net group

Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups

Supported Platforms: Windows

Run it with command_prompt!

net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma

Reference in New Issue View Git Blame Copy Permalink