Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as
net group /domain of the Net utility,
dscacheutil -q group on macOS, and
ldapsearch on Linux can list domain-level groups.
|S1063||Brute Ratel C4|
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
|DS0009||Process||OS API Execution||
Monitor for API calls associated with finding domain-level groups and permission settings, such as
Monitor newly executed processes that may attempt to find domain-level groups and permission settings.
Implementation 1 : Local Permission Group Discovery - [Net](/software/S0039)
Detection Notes:- Pseudocode Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). - For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as