Register to stream ATT&CKcon 2.0 October 29-30

Permission Groups Discovery

Adversaries may attempt to find local system or domain-level groups and permissions settings.

Windows

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

Mac

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

Linux

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

ID: T1069
Tactic: Discovery
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: API monitoring, Process monitoring, Process command-line parameters
CAPEC ID: CAPEC-576
Version: 1.0

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Examples

Name Description
admin@338 admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download [17]
APT3 APT3 has a tool that can enumerate the permissions associated with Windows groups. [9]
Dragonfly 2.0 Dragonfly 2.0 used batch scripts to enumerate administrators in the environment. [16]
dsquery dsquery can be used to gather information on permission groups within a domain. [1]
Emissary Emissary has the capability to execute the command net localgroup administrators. [10]
Epic Epic gathers information on local group names. [13]
FIN6 FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts. [20]
FlawedAmmyy FlawedAmmyy enumerates the privilege level of the victim during the initial infection. [14]
Helminth Helminth has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain. [6]
JPIN JPIN can obtain the victim user name. [12]
Kazuar Kazuar gathers information about local groups and members. [8]
Ke3chang Ke3chang performs discovery of permission groups net group /domain. [19]
Kwampirs Kwampirs collects lists of local accounts with administrative access, local group user accounts, and domain local groups with the commands net localgroup administrators, net localgroup users, and net localgroup /domain. [4]
MURKYTOP MURKYTOP has the capability to retrieve information about groups. [11]
Net Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups. [2]
OilRig OilRig has used net group /domain, net localgroup administrators, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim. [18]
OSInfo OSInfo specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally [9]
PoshC2 PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups. [3]
POWRUNER POWRUNER may collect permission group information by running net group /domain or a series of other commands on a victim. [7]
PUNCHBUGGY PUNCHBUGGY can gather domain and workgroup information. [15]
Sys10 Sys10 collects the group name of the logged-in user and sends it to the C2. [5]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

  1. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  2. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  3. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  4. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  5. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  6. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  7. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  8. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  9. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  10. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.