---
attack_technique: T1069
display_name: Permission Groups Discovery

atomic_tests:
- name: Permission Groups Discovery
  description: |
    Permission Groups Discovery

  supported_platforms:
    - macos
    - linux

  executor:
    name: sh
    command: |
      dscacheutil -q group
      dscl . -list /Groups
      groups

- name: Basic Permission Groups Discovery Windows
  description: |
    Basic Permission Groups Discovery for Windows

  supported_platforms:
    - windows

  executor:
    name: command_prompt
    elevation_required: false
    command: |
      net localgroup
      net group /domain

- name: Permission Groups Discovery PowerShell
  description: |
    Permission Groups Discovery utilizing PowerShell

  supported_platforms:
    - windows

  input_arguments:
    user:
      description: User to identify what groups a user is a member of
      type: string
      default: administrator

  executor:
    name: powershell
    elevation_required: false
    command: |
      get-localgroup
      get-ADPrinicipalGroupMembership #{user} | select name
atomic_tests:

- name: Elevated group enumeration using net group
  description: |
    Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups

  supported_platforms:
    - windows

  executor:
    name: command_prompt
    elevation_required: false
    command: |
      net group /domai 'Domain Admins'
      net groups 'Account Operators' /doma
      net groups 'Exchange Organization Management' /doma
      net group 'BUILTIN\Backup Operators' /doma