security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7fea6fc22a09feea67e2a7a43a1a482c5575d4e1
atomic-red-team/atomics/T1069/T1069.md
T
CircleCI Atomic Red Team doc generator 0b3543c2c1 Generate docs from job=validate_atomics_generate_docs branch=master
2018-08-23 00:37:54 +00:00

2.7 KiB
Raw Blame History

T1069 - Permission Groups Discovery

Description from ATT&CK

Adversaries may attempt to find local system or domain-level groups and permissions settings.

===Windows===

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

===Mac===

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

===Linux===

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Platforms: Linux, Windows, macOS

Data Sources: API monitoring, Process command-line parameters, Process monitoring

Permissions Required: User

Atomic Tests


Atomic Test #1 - Permission Groups Discovery

Permission Groups Discovery

Supported Platforms: macOS, Linux

Run it with sh!

dscacheutil -q group
dscl . -list /Groups
groups


Atomic Test #2 - Permission Groups Discovery Windows

Permission Groups Discovery for Windows

Supported Platforms: Windows

Run it with command_prompt!

net localgroup
net group /domain


Atomic Test #3 - Permission Groups Discovery PowerShell

Permission Groups Discovery utilizing PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user User to identify what groups a user is a member of string administrator

Run it with powershell!

get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name

Reference in New Issue View Git Blame Copy Permalink