# Permission Groups Discovery

Permission Groups Discovery
Technique
ID T1069
Tactic Discovery
Platform Linux, macOS, Windows
Permissions Required User
Data Sources API monitoring, Process command-line parameters, Process monitoring
CAPEC ID CAPEC-576

Adversaries may attempt to find local system or domain-level groups and permissions settings.

## Contents

### Windows

Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.

### Mac

On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.

### Linux

On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

## Examples

• APT3 has a tool that can enumerate the permissions associated with Windows groups.1
• Ke3chang performs discovery of permission groups net group /domain.2
• OilRig has used net group /domain, net localgroup administrators, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to find group permission settings on a victim.3
• admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download4
• Emissary has the capability to execute the command net localgroup administrators.5
• Helminth has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.6
• Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups.7
• OSInfo specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally 1
• POWRUNER may collect permission group information by running net group /domain or a series of other commands on a victim.8
• Sys10 collects the group name of the logged-in user and sends it to the C2.9
• dsquery can be used to gather information on permission groups within a domain.10

## Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting11 tools, like AppLocker,1213 or Software Restriction Policies14 where appropriate.15

## Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.