# T1069 - Permission Groups Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069)
<blockquote>Adversaries may attempt to find local system or domain-level groups and permissions settings. 

### Windows

Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the [Net](https://attack.mitre.org/software/S0039) utility.

### Mac

On Mac, this same thing can be accomplished with the <code>dscacheutil -q group</code> for the domain, or <code>dscl . -list /Groups</code> for local groups.

### Linux

On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.

### Office 365 and Azure AD

With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance)

Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command <code>az ad user get-member-groups</code> will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)</blockquote>

## Atomic Tests

- [Atomic Test #1 - Permission Groups Discovery](#atomic-test-1---permission-groups-discovery)

- [Atomic Test #2 - Basic Permission Groups Discovery Windows](#atomic-test-2---basic-permission-groups-discovery-windows)

- [Atomic Test #3 - Permission Groups Discovery PowerShell](#atomic-test-3---permission-groups-discovery-powershell)

- [Atomic Test #4 - Elevated group enumeration using net group](#atomic-test-4---elevated-group-enumeration-using-net-group)


<br/>

## Atomic Test #1 - Permission Groups Discovery
Permission Groups Discovery

**Supported Platforms:** macOS, Linux



#### Attack Commands: Run with `sh`! 
```
dscacheutil -q group
dscl . -list /Groups
groups
```






<br/>
<br/>

## Atomic Test #2 - Basic Permission Groups Discovery Windows
Basic Permission Groups Discovery for Windows

**Supported Platforms:** Windows



#### Attack Commands: Run with `command_prompt`! 
```
net localgroup
net group /domain
```






<br/>
<br/>

## Atomic Test #3 - Permission Groups Discovery PowerShell
Permission Groups Discovery utilizing PowerShell

**Supported Platforms:** Windows


#### Inputs:
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| user | User to identify what groups a user is a member of | string | administrator|


#### Attack Commands: Run with `powershell`! 
```
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
```






<br/>
<br/>

## Atomic Test #4 - Elevated group enumeration using net group
Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups

**Supported Platforms:** Windows



#### Attack Commands: Run with `command_prompt`! 
```
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma
```






<br/>