From 5332936f8f4b29d69ee755fb9923e1dee7c317ab Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 11 Nov 2019 01:55:17 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1069/T1069.md   | 67 ++++++++++++++++++++++++++++++++++++++--
 atomics/index.md         |  5 ++-
 atomics/index.yaml       | 42 +++++++++++++++++++++++++
 atomics/linux-index.md   |  1 +
 atomics/macos-index.md   |  1 +
 atomics/windows-index.md |  4 ++-
 6 files changed, 116 insertions(+), 4 deletions(-)

diff --git a/atomics/T1069/T1069.md b/atomics/T1069/T1069.md
index eab34894..d3fc262a 100644
--- a/atomics/T1069/T1069.md
+++ b/atomics/T1069/T1069.md
@@ -22,12 +22,75 @@ Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Elevated group enumeration using net group](#atomic-test-1---elevated-group-enumeration-using-net-group)
+- [Atomic Test #1 - Permission Groups Discovery](#atomic-test-1---permission-groups-discovery)
+
+- [Atomic Test #2 - Basic Permission Groups Discovery Windows](#atomic-test-2---basic-permission-groups-discovery-windows)
+
+- [Atomic Test #3 - Permission Groups Discovery PowerShell](#atomic-test-3---permission-groups-discovery-powershell)
+
+- [Atomic Test #4 - Elevated group enumeration using net group](#atomic-test-4---elevated-group-enumeration-using-net-group)
 
 
 <br/>
 
-## Atomic Test #1 - Elevated group enumeration using net group
+## Atomic Test #1 - Permission Groups Discovery
+Permission Groups Discovery
+
+**Supported Platforms:** macOS, Linux
+
+
+#### Run it with `sh`! 
+```
+dscacheutil -q group
+dscl . -list /Groups
+groups
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Basic Permission Groups Discovery Windows
+Basic Permission Groups Discovery for Windows
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`! 
+```
+net localgroup
+net group /domain
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Permission Groups Discovery PowerShell
+Permission Groups Discovery utilizing PowerShell
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user | User to identify what groups a user is a member of | string | administrator|
+
+#### Run it with `powershell`! 
+```
+get-localgroup
+get-ADPrinicipalGroupMembership #{user} | select name
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Elevated group enumeration using net group
 Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
 
 **Supported Platforms:** Windows
diff --git a/atomics/index.md b/atomics/index.md
index 39d72cbe..0d20e9d0 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -542,7 +542,10 @@
   - Atomic Test #7: Examine password policy - macOS [macos]
 - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1069 Permission Groups Discovery](./T1069/T1069.md)
-  - Atomic Test #1: Elevated group enumeration using net group [windows]
+  - Atomic Test #1: Permission Groups Discovery [macos, linux]
+  - Atomic Test #2: Basic Permission Groups Discovery Windows [windows]
+  - Atomic Test #3: Permission Groups Discovery PowerShell [windows]
+  - Atomic Test #4: Elevated group enumeration using net group [windows]
 - [T1057 Process Discovery](./T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
 - [T1012 Query Registry](./T1012/T1012.md)
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 9c80634f..4e1bd378 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -15481,6 +15481,48 @@ discovery:
       modified: '2019-10-18T20:37:17.043Z'
       identifier: T1069
     atomic_tests:
+    - name: Permission Groups Discovery
+      description: 'Permission Groups Discovery
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      executor:
+        name: sh
+        command: |
+          dscacheutil -q group
+          dscl . -list /Groups
+          groups
+    - name: Basic Permission Groups Discovery Windows
+      description: 'Basic Permission Groups Discovery for Windows
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: |
+          net localgroup
+          net group /domain
+    - name: Permission Groups Discovery PowerShell
+      description: 'Permission Groups Discovery utilizing PowerShell
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        user:
+          description: User to identify what groups a user is a member of
+          type: string
+          default: administrator
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          get-localgroup
+          get-ADPrinicipalGroupMembership #{user} | select name
     - name: Elevated group enumeration using net group
       description: 'Runs ''net group'' command including command aliases and loose
         typing to simulate enumeration/discovery of high value domain groups
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index e360f3b2..625da05c 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -93,6 +93,7 @@
   - Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [centos]
   - Atomic Test #4: Examine password expiration policy - All Linux [linux]
 - [T1069 Permission Groups Discovery](./T1069/T1069.md)
+  - Atomic Test #1: Permission Groups Discovery [macos, linux]
 - [T1057 Process Discovery](./T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index effb41b0..661a6dc4 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -105,6 +105,7 @@
   - Atomic Test #7: Examine password policy - macOS [macos]
 - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1069 Permission Groups Discovery](./T1069/T1069.md)
+  - Atomic Test #1: Permission Groups Discovery [macos, linux]
 - [T1057 Process Discovery](./T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index fd2237fb..3a35379e 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -366,7 +366,9 @@
   - Atomic Test #6: Examine domain password policy - Windows [windows]
 - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1069 Permission Groups Discovery](./T1069/T1069.md)
-  - Atomic Test #1: Elevated group enumeration using net group [windows]
+  - Atomic Test #2: Basic Permission Groups Discovery Windows [windows]
+  - Atomic Test #3: Permission Groups Discovery PowerShell [windows]
+  - Atomic Test #4: Elevated group enumeration using net group [windows]
 - [T1057 Process Discovery](./T1057/T1057.md)
 - [T1012 Query Registry](./T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]