T1069.001: Local Groups
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Commands such as net localgroup
of the Net utility, dscl . -list /Groups
on macOS, and groups
on Linux can list local groups.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software mitre_attck_discovery: PT-CR-921: Multiple_Groups_Enum: An attempt to enumerate user groups in the system is detected mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected mitre_attck_discovery: PT-CR-325: Permission_Groups_Discovery: An attempt to retrieve a list of user group permissions is detected freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain clickhouse: PT-CR-1573: ClickHouse_Users_Privileges_Discovery: An attempt to receive information about user privileges is detected active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2020: SharpHound_LoggedOn: The SharpHound (BloodHound) utility was started using the LoggedOn method. This method allows you to collect information about user sessions on different domain hosts. hacking_tools: PT-CR-1980: Subrule_SharpHound_Access_To_Samr_Srvsvc: A connection to samr and srvsvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of one of the SharpHound (BloodHound) information collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1977: Subrule_SharpHound_LoggedOn: A connection to winreg (2) and wkssvc (1) named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) LoggedOn information collection method hacking_tools: PT-CR-1979: Subrule_SharpHound_Access_To_Wkssvc_Srvsvc: A connection to samr and wkssvc named pipes on behalf of the same user from the same host was detected, which may indicate usage of the SharpHound (BloodHound) Session information collection method hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2019: SharpHound_Groups_Collection: The SharpHound (BloodHound) utility was started using one of the following collection methods: LocalGroup, RDP, DCOM, LocalAdmin, ComputerOnly. These methods are used to collect information about local user groups on different domain hosts. hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2018: SharpHound_Session: The SharpHound (BloodHound) utility was started using the Session method. This method allows you to collect information about user sessions on different domain hosts.
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may attempt to find local system groups and permission settings. Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). The logic in the Analytic looks for any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives. Analytic 1 - Local Permission Group Discovery
|
---|
ID | DS0036 | Data source and component | Group: Group Enumeration | Description | Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for executed commands and arguments that may attempt to find local system groups and permission settings. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls associated with finding local system groups and permission settings, such as NetLocalGroupEnum. Other API calls relevant to Local Group discovery include NetQueryDisplayInformation and NetGetDisplayInformationIndex. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
---|