hypnoticpattern
7d63609ea3
* Added dependencies and fixed tests * Added description to dependencies. * Executable presence checked in dependencies Co-authored-by: hypnoticpattern <> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
74 lines
2.3 KiB
YAML
74 lines
2.3 KiB
YAML
---
|
|
attack_technique: T1069
|
|
display_name: Permission Groups Discovery
|
|
|
|
atomic_tests:
|
|
- name: Permission Groups Discovery
|
|
description: |
|
|
Permission Groups Discovery
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi;
|
|
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
|
|
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
|
|
|
|
- name: Basic Permission Groups Discovery Windows
|
|
description: |
|
|
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
net localgroup
|
|
net group /domain
|
|
net group "domain admins" /domain
|
|
|
|
- name: Permission Groups Discovery PowerShell
|
|
description: |
|
|
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
user:
|
|
description: User to identify what groups a user is a member of
|
|
type: string
|
|
default: administrator
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
get-localgroup
|
|
get-ADPrincipalGroupMembership #{user} | select name
|
|
|
|
- name: Elevated group enumeration using net group
|
|
description: |
|
|
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
|
|
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
net group /domai "Domain Admins"
|
|
net groups "Account Operators" /doma
|
|
net groups "Exchange Organization Management" /doma
|
|
net group "BUILTIN\Backup Operators" /doma
|