T1069.001
Permission Groups Discovery: Local Groups
Description from ATT&CK
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Commands such as <code>net localgroup</code> of the Net utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Permission Groups Discovery (Local)
Permission Groups Discovery
Supported Platforms: macos,linux
auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae
Inputs:
None
Attack Commands: Run with sh!
1
2
3
4
5
6
7
if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi;
if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi;
cat /etc/group
Atomic Test #2 - Basic Permission Groups Discovery Windows (Local)
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: windows
auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
3
net localgroup
net localgroup "Administrators"
Atomic Test #3 - Permission Groups Discovery PowerShell (Local)
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: windows
auto_generated_guid: a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
get-localgroup
Get-LocalGroupMember -Name "Administrators"
Atomic Test #4 - SharpHound3 - LocalAdmin
This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
Supported Platforms: windows
auto_generated_guid: e03ada14-0980-4107-aff1-7783b2b59bb1
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | FQDN of the targeted domain | string | $env:UserDnsDomain |
| sharphound_path | SharpHound Windows executable | path | $env:TEMP\SharpHound.exe |
| output_path | Output for SharpHound | path | $env:TEMP\SharpHound\ |
Attack Commands: Run with powershell!
1
2
3
New-Item -Path "#{output_path}" -ItemType Directory > $null
& "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
Cleanup Commands:
1
2
Remove-Item -Recurse #{output_path} -ErrorAction Ignore
Dependencies: Run with powershell!
Description: SharpHound binary must exist on disk and at specified location (#{sharphound_path}). And the computer must be domain joined (implicit authentication).
Check Prereq Commands:
1
2
if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
Get Prereq Commands:
1
2
Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
Atomic Test #5 - Wmic Group Discovery
Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.
Supported Platforms: windows
auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2
Inputs:
None
Attack Commands: Run with powershell!
1
2
wmic.exe group get name
Atomic Test #6 - WMIObject Group Discovery
Utilizing PowerShell cmdlet - get-wmiobject, to enumerate local groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system.
Supported Platforms: windows
auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13
Inputs:
None
Attack Commands: Run with powershell!
1
2
Get-WMIObject Win32_Group