Adversaries may attempt to find local system or domain-level groups and permissions settings.Examples of commands that can list groups are
net group /domainandnet localgroupusing the Net utility.On Mac, this same thing can be accomplished with the
dscacheutil -q groupfor the domain, ordscl . -list /Groupsfor local groups.On Linux, local groups can be enumerated with the
groupscommand and domain groups via theldapsearchcommand.With authenticated access there are several tools that can be used to find permissions groups. The
Get-MsolRolePowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance)Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command
az ad user get-member-groupswill list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
Permission Groups Discovery
Supported Platforms: macOS, Linux
dscacheutil -q group
dscl . -list /Groups
groups
Basic Permission Groups Discovery for Windows
Supported Platforms: Windows
net localgroup
net group /domain
Permission Groups Discovery utilizing PowerShell
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user | User to identify what groups a user is a member of | string | administrator |
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
Supported Platforms: Windows
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma