Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such asnet localgroup
of the [Net](https://attack.mitre.org/software/S0039) utility,dscl . -list /Groups
on macOS, andgroups
on Linux can list local groups.
Atomic Test #2 - Basic Permission Groups Discovery Windows (Local)
Atomic Test #3 - Permission Groups Discovery PowerShell (Local)
Atomic Test #7 - Permission Groups Discovery for Containers- Local Groups
Permission Groups Discovery
Supported Platforms: Linux, macOS
auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae
1
sh
!1
2
3
4
5
6
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi;
if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi;
cat /etc/group
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8
1
command_prompt
!net localgroup
net localgroup "Administrators"
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
auto_generated_guid: a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
1
powershell
!1
2
get-localgroup
Get-LocalGroupMember -Name "Administrators"
This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
Supported Platforms: Windows
auto_generated_guid: e03ada14-0980-4107-aff1-7783b2b59bb1
| Name | Description | Type | Default Value | |——|————-|——|—————| | domain | FQDN of the targeted domain | string | $env:UserDnsDomain| | sharphound_path | SharpHound Windows executable | path | PathToAtomicsFolder\..\ExternalPayloads\SharpHound.exe| | output_path | Output for SharpHound | path | $env:TEMP\SharpHound\|
1
powershell
!1
2
New-Item -Path "#{output_path}" -ItemType Directory > $null
& "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
1
Remove-Item -Recurse #{output_path} -ErrorAction Ignore
1
powershell
!And the computer must be domain joined (implicit authentication).
1
if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.
Supported Platforms: Windows
auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2
1
command_prompt
!wmic group get name
Utilizing PowerShell cmdlet - get-wmiobject, to enumerate local groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system.
Supported Platforms: Windows
auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13
1
powershell
!1
Get-WMIObject Win32_Group
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
Supported Platforms: Containers
auto_generated_guid: 007d7aa4-8c4d-4f55-ba6a-7c965d51219c
1
sh
!1
2
3
docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
docker run --name t1069_container -d -t t1069
docker exec t1069_container ./test.sh
1
2
docker stop t1069_container
docker rmi -f t1069
1
sh
!1
which docker
1
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
1
sudo systemctl status docker --no-pager
1
sudo systemctl start docker