Local Groups

Information

• Name: Local Groups

• ID: T1069.001

• Tactics: TA0007

• Technique: T1069

Introduction

Local Groups (T1069.001) is a sub-technique of the MITRE ATT&CK framework under the Discovery tactic. It involves adversaries enumerating local groups on a compromised system to gain insight into permission levels, access privileges, and potential targets for privilege escalation or lateral movement. By identifying local groups and their associated user accounts, attackers can better understand the security posture and identify accounts with elevated privileges, thus facilitating further exploitation.

Deep Dive Into Technique

Adversaries commonly use built-in system commands or scripts to enumerate local groups on Windows, Linux, or macOS systems. The enumeration of local groups typically involves querying the operating system for information on user permissions, group memberships, and associated privileges.

Common execution methods include:

• Windows Systems:

  • Using built-in commands such as:

    • net localgroup: Lists all local groups and their members.

      Copy

      net localgroup administrators
      net localgroup "Remote Desktop Users"

    • PowerShell commands:

      Copy

      Get-LocalGroup
      Get-LocalGroupMember -Group "Administrators"

  • Utilizing scripts or tools like PowerView or BloodHound to automate enumeration and visualize relationships between users and groups.

• Linux/macOS Systems:

  • Using built-in commands such as:

    • cat /etc/group: Lists all groups and associated members.

      Copy

      cat /etc/group | grep sudo

    • groups <username>: Lists groups for a specific user.

      Copy

      groups root

    • getent group: Retrieves group information from various sources.

      Copy

      getent group wheel

  • Employing specialized scripts or enumeration tools (e.g., LinEnum, LinuxPrivChecker) to automate the discovery of privilege-related groups.

Real-world procedures typically involve attackers first gaining initial access, then quickly enumerating local groups to identify privileged accounts. Understanding local group memberships helps adversaries select targets for privilege escalation or lateral movement, facilitating further compromise of the environment.

When this Technique is Usually Used

This sub-technique is commonly used during the Discovery stage of an attack, soon after initial compromise. Specific scenarios include:

• Privilege Escalation: Attackers enumerate local groups to identify accounts with administrative privileges, enabling them to escalate privileges and gain full control over compromised systems.

• Lateral Movement: Enumeration helps attackers identify accounts with remote access privileges (e.g., Remote Desktop Users, SSH groups), providing pathways for lateral movement across the network.

• Persistence: Identification of privileged groups allows adversaries to select accounts or groups suitable for establishing persistent access, such as accounts with permissions to install software or create scheduled tasks.

• Reconnaissance and Information Gathering: Attackers use local group enumeration to map out organizational security structures, identify critical assets, and determine the most effective attack vectors.

How this Technique is Usually Detected

Detection of local group enumeration activities typically involves monitoring system logs, command-line activity, and anomalous queries to group membership information. Effective detection approaches include:

• Command-Line Monitoring: Monitor execution of commands commonly used for group enumeration (net localgroup, Get-LocalGroup, cat /etc/group, getent group).

• Process Execution Logs: Examine logs for unusual processes or scripts executing enumeration commands, especially shortly after initial compromise or in rapid succession.

• Windows Event Logs:

  • Monitor Event ID 4688 (Process Creation) to detect execution of enumeration commands.

  • Check Event ID 4798 (Local Group Membership Enumeration) indicating attempts to enumerate local groups and memberships.

• Endpoint Detection and Response (EDR) Tools: Utilize EDR solutions capable of detecting suspicious enumeration activities, anomalous behavior, and execution of enumeration scripts or tools like PowerView or LinEnum.

• Behavioral Analysis: Detect abnormal user or process behavior patterns, such as a standard user suddenly querying administrative group memberships or executing enumeration commands not typical for their role.

Indicators of Compromise (IoCs) specifically associated with this technique include:

• Execution of enumeration commands (net localgroup, Get-LocalGroupMember) by unusual user accounts or processes.

• Presence of enumeration scripts or tools (PowerView, BloodHound, LinEnum) on endpoints.

• Abnormal frequency or timing of group enumeration queries.

Why it is Important to Detect This Technique

Early detection of Local Groups enumeration is crucial because it often indicates the initial stages of adversarial reconnaissance and privilege escalation efforts. Failure to detect and respond to this technique can lead to significant impacts, including:

• Privilege Escalation: Attackers can identify privileged accounts and escalate their privileges, gaining administrative control over systems and networks.

• Lateral Movement: Discovery of group memberships enables attackers to identify accounts with remote access privileges, facilitating lateral movement and the compromise of additional systems.

• Persistence: Attackers may leverage privileged groups to establish persistent access, making remediation challenging and prolonging compromise.

• Sensitive Data Access: Compromise of administrative accounts identified through group enumeration may lead to unauthorized access to sensitive data, intellectual property, or personally identifiable information (PII).

• Operational Disruption: Successful exploitation following group enumeration can lead to disruption of critical services, operational downtime, and increased costs for incident response and remediation efforts.

Detecting this technique early allows defenders to quickly respond, contain the attacker’s activities, and mitigate potential damage.

Examples

Real-world examples involving Local Groups enumeration include:

• APT29 (Cozy Bear):

  • Attackers used built-in Windows commands (net localgroup administrators) to enumerate local administrative groups during initial reconnaissance phases, identifying privileged accounts for further exploitation.

  • Impact: Enabled privilege escalation and lateral movement to compromise critical systems and exfiltrate sensitive data.

• FIN6 Financial Threat Group:

  • Utilized PowerShell scripts (PowerView) to automate enumeration of local groups and administrative accounts on compromised endpoints.

  • Impact: Facilitated lateral movement and privilege escalation within victim environments, leading to large-scale financial theft and data breaches.

• NotPetya Malware Attack:

  • Malware executed automated enumeration commands (net localgroup administrators) to identify privileged accounts and propagate rapidly across victim networks.

  • Impact: Caused widespread operational disruption, data loss, and significant financial damage to global enterprises.

• Penetration Testing Tools:

  • Tools like BloodHound and LinEnum are frequently employed by penetration testers and attackers alike to automate group enumeration and visualize privilege relationships.

  • Impact: Effective identification of privilege escalation paths, enabling testers or attackers to quickly escalate privileges and move laterally.

These examples demonstrate the commonality and effectiveness of Local Groups enumeration in various attack scenarios, highlighting the importance of detection and mitigation strategies.