Permission Groups Discovery
Adversaries may attempt to find local system or domain-level groups and permissions settings.
Examples of commands that can list groups are
net group /domain and
net localgroup using the Net utility.
On Mac, this same thing can be accomplished with the
dscacheutil -q group for the domain, or
dscl . -list /Groups for local groups.
On Linux, local groups can be enumerated with the
groups command and domain groups via the
Office 365 and Azure AD
With authenticated access there are several tools that can be used to find permissions groups. The
Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.
Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command
az ad user get-member-groups will list groups associated to a user account.
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups:
|APT3||APT3 has a tool that can enumerate the permissions associated with Windows groups. |
|Dragonfly 2.0||Dragonfly 2.0 used batch scripts to enumerate administrators in the environment. |
|dsquery||dsquery can be used to gather information on permission groups within a domain. |
Emissary has the capability to execute the command
|Epic||Epic gathers information on local group names. |
|FIN6||FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts. |
|FlawedAmmyy||FlawedAmmyy enumerates the privilege level of the victim during the initial infection. |
|GRIFFON||GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information. |
Helminth has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands
|JPIN||JPIN can obtain the victim user name. |
|Kazuar||Kazuar gathers information about local groups and members. |
Ke3chang performs discovery of permission groups
Kwampirs collects lists of local accounts with administrative access, local group user accounts, and domain local groups with the commands
|MURKYTOP||MURKYTOP has the capability to retrieve information about groups. |
Commands such as
OilRig has used
|OSInfo||OSInfo specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally |
PoshC2 contains modules, such as
POWRUNER may collect permission group information by running
|PUNCHBUGGY||PUNCHBUGGY can gather domain and workgroup information. |
|Sys10||Sys10 collects the group name of the logged-in user and sends it to the C2. |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.
- Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
- Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
- Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
- Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
- Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.