Adversaries may attempt to find local system or domain-level groups and permissions settings.===Windows===
Examples of commands that can list groups are
net group /domainandnet localgroupusing the Net utility.===Mac===
On Mac, this same thing can be accomplished with the
dscacheutil -q groupfor the domain, ordscl . -list /Groupsfor local groups.===Linux===
On Linux, local groups can be enumerated with the
groupscommand and domain groups via theldapsearchcommand.Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, Windows, macOS
Data Sources: API monitoring, Process command-line parameters, Process monitoring
Permissions Required: User
Permission Groups Discovery
Supported Platforms: macOS, Linux
dscacheutil -q group
dscl . -list /Groups
groups
Permission Groups Discovery for Windows
Supported Platforms: Windows
net localgroup
net group /domain
Permission Groups Discovery utilizing PowerShell
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user | User to identify what groups a user is a member of | string | administrator |
get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name