security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dbae21ab770c1935a7d32fbcd0139eb469fa2726
atomic-red-team/atomics/T1069/T1069.md
T
CircleCI Atomic Red Team doc generator b9391a70c3 Generate docs from job=validate_atomics_generate_docs branch=Mac-yaml
2018-05-25 16:21:32 +00:00

1.8 KiB
Raw Blame History

T1069 - Permission Groups Discovery

Description from ATT&CK

Adversaries may attempt to find local system or domain-level groups and permissions settings.

===Windows===

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

===Mac===

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

===Linux===

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Platforms: Linux, Windows, macOS

Data Sources: API monitoring, Process command-line parameters, Process monitoring

Permissions Required: User

Atomic Tests


Atomic Test #1 - Permission Groups Discovery

Permission Groups Discovery

Supported Platforms: macOS, Linux

Run it with sh!

dscacheutil -q group
dscl . -list /Groups
groups

Reference in New Issue View Git Blame Copy Permalink