Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Permission Groups Discovery

Adversaries may attempt to find local system or domain-level groups and permissions settings.

Windows

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

Mac

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

Linux

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

ID: T1069

Tactic: Discovery

Platform:  Linux, macOS, Windows

Permissions Required:  User

Data Sources:  API monitoring, Process monitoring, Process command-line parameters

CAPEC ID:  CAPEC-576

Version: 1.0

Examples

NameDescription
admin@338

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download[1]

APT3

APT3 has a tool that can enumerate the permissions associated with Windows groups.[2]

Dragonfly 2.0

Dragonfly 2.0 used batch scripts to enumerate administrators in the environment.[3]

dsquery

dsquery can be used to gather information on permission groups within a domain.[4]

Emissary

Emissary has the capability to execute the command net localgroup administrators.[5]

Helminth

Helminth has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.[6]

JPIN

JPIN can obtain the victim user name.[7]

Kazuar

Kazuar gathers information about local groups and members.[8]

Ke3chang

Ke3chang performs discovery of permission groups net group /domain.[9]

Kwampirs

Kwampirs collects lists of local accounts with administrative access, local group user accounts, and domain local groups with the commands net localgroup administrators, net localgroup users, and net localgroup /domain.[10]

MURKYTOP

has the capability to retrieve information about groups.[11]

Net

Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups.[12]

OilRig

OilRig has used net group /domain, net localgroup administrators, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to find group permission settings on a victim.[13]

OSInfo

OSInfo specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally[2]

POWRUNER

POWRUNER may collect permission group information by running net group /domain or a series of other commands on a victim.[14]

Sys10

Sys10 collects the group name of the logged-in user and sends it to the C2.[15]

Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting [16] tools, like AppLocker, [17] [18] or Software Restriction Policies [19] where appropriate. [20]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References