# T1069 Permission Groups Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as <code>kubectl auth can-i</code>.(Citation: K8s Authorization Overview)

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

  * Azure AD

  * Office 365

  * SaaS

  * IaaS

  * Linux

  * macOS

  * Google Workspace

  * Containers

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Pod:** Pod Metadata

  * **Command:** Command Execution

  * **Group:** Group Metadata

  * **Process:** Process Creation

  * **Application Log:** Application Log Content

  * **Group:** Group Enumeration

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used the <code>Get-ManagementRoleAssignment</code> PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.(Citation: Volexity SolarWinds)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used TinyMet to enumerate members of privileged groups.(Citation: IBM TA505 April 2020) [TA505](https://attack.mitre.org/groups/G0092) has also run <code>net group /domain</code>.(Citation: Trend Micro TA505 June 2019)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can enumerate the permissions associated with Windows groups.(Citation: Symantec Buckeye)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used the <code>Get-ManagementRoleAssignment</code> PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.(Citation: Volexity SolarWinds)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1069)

  * [Capec](https://capec.mitre.org/data/definitions/576.html)

  * [K8S Authorization Overview](https://kubernetes.io/docs/reference/access-authn-authz/authorization/), Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will query group permission settings to determine accounts and groups on the device or domain.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla	
- Epic (Turla backdoor) gathers information on local group names.
- Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.
- Turla has used net group "Domain Admins" /domain to identify domain administrators.

## Detection Blindspots

- Custom tools may conceal themselves from these analytics

## Analytical References

  * [Atomic Red Team T1069.001 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md)
  * [Atomic Red Team T1069.002 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md)
  * [KL Epic Turla Technical Appendix 2018 (kasperskycontenthub)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080105/KL_Epic_Turla_Technical_Appendix_20140806.pdf)
  * [ESET Turla ComRAT 2020 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather information.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```	process.name : net.exe or net1.exe AND process.command_line : *localgroup*```
  * **Query:** ```process.name : net.exe or net1.exe or dsquery.exe AND process.command_line : *domain*```

#### Analytic 2

  * **Information:** Look in the message or script block text for cmdlets used (i.e. Get-localgroup, Get-LocalGroupMember, get-ADPrincipalGroupMembership, get-aduser, etc.)

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 4104```

#### Analytic 3

  * **Information:** 4799 : A security-enabled local group membership was enumerated

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** This event id may actually happen very often in environments. The addition of the caller process name would be critical in identifying suspicious activity. Also note the TargetUserName field.

  * **Query:** ```event.code : 4799 AND winlog.event_data.CallerProcessName : *powershell.exe* or *net.exe* or *net1.exe```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

