valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b87010e92
atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1069.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

1.9 KiB
Raw Blame History

T1069 - Permission Groups Discovery

Description from ATT&CK

Adversaries may attempt to find local system or domain-level groups and permissions settings.

Windows

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

Mac

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

Linux

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

Atomic Tests


Atomic Test #1 - Permission Groups Discovery

Permission Groups Discovery

Supported Platforms: macOS, Linux

Run it with sh!

dscacheutil -q group
dscl . -list /Groups
groups


Atomic Test #2 - Permission Groups Discovery Windows

Permission Groups Discovery for Windows

Supported Platforms: Windows

Run it with command_prompt!

net localgroup
net group /domain


Atomic Test #3 - Permission Groups Discovery PowerShell

Permission Groups Discovery utilizing PowerShell

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user User to identify what groups a user is a member of string administrator

Run it with powershell!

get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name