Permission Groups Discovery

Adversaries may attempt to find local system or domain-level groups and permissions settings.

Windows

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

Mac

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

Linux

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

Office 365 and Azure AD

With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.[1][2]

Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command az ad user get-member-groups will list groups associated to a user account.[3][4]

ID: T1069
Tactic: Discovery
Platform: Linux, macOS, Windows, Office 365, Azure AD
Permissions Required: User
Data Sources: Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters
CAPEC ID: CAPEC-576
Contributors: Microsoft Threat Intelligence Center (MSTIC)
Version: 2.0

Procedure Examples

Name Description
admin@338 admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download [22]
APT3 APT3 has a tool that can enumerate the permissions associated with Windows groups. [13]
Dragonfly 2.0 Dragonfly 2.0 used batch scripts to enumerate administrators in the environment. [21]
dsquery dsquery can be used to gather information on permission groups within a domain. [5]
Emissary Emissary has the capability to execute the command net localgroup administrators. [14]
Epic Epic gathers information on local group names. [17]
FIN6 FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts. [25]
FlawedAmmyy FlawedAmmyy enumerates the privilege level of the victim during the initial infection. [18]
GRIFFON GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information. [20]
Helminth Helminth has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain. [10]
JPIN JPIN can obtain the victim user name. [16]
Kazuar Kazuar gathers information about local groups and members. [12]
Ke3chang Ke3chang performs discovery of permission groups net group /domain. [24]
Kwampirs Kwampirs collects lists of local accounts with administrative access, local group user accounts, and domain local groups with the commands net localgroup administrators, net localgroup users, and net localgroup /domain. [8]
MURKYTOP MURKYTOP has the capability to retrieve information about groups. [15]
Net Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups. [6]
OilRig OilRig has used net group /domain, net localgroup administrators, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim. [23]
OSInfo OSInfo specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally [13]
PoshC2 PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups. [7]
POWRUNER POWRUNER may collect permission group information by running net group /domain or a series of other commands on a victim. [11]
PUNCHBUGGY PUNCHBUGGY can gather domain and workgroup information. [19]
Sys10 Sys10 collects the group name of the logged-in user and sends it to the C2. [9]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  2. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  3. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  4. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  5. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  6. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  7. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  8. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  9. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  10. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  11. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  12. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.