| Name |
Group Permission Footprinting |
|
| Likelyhood of attack |
Typical severity |
| Low |
Low |
|
| Summary |
An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is "net localgroup". |
| Prerequisites |
The adversary must have gained access to the target system via physical or logical means in order to carry out this attack. |
| Solutions | Identify programs (such as "net") that may be used to enumerate local group permissions and block them by using a software restriction Policy or tools that restrict program execution by using a process allowlist. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-169 |
An adversary engages in probing and exploration activities to identify constituents and properties of the target. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1069 |
Permission Groups Discovery |
| 1615 |
Group Policy Discovery |
|