atomic-red-team/atomics/T1069/T1069.md

# T1069 - Permission Groups Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069)
<blockquote>Adversaries may attempt to find local system or domain-level groups and permissions settings. 

### Windows

Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the [Net](https://attack.mitre.org/software/S0039) utility.

### Mac

On Mac, this same thing can be accomplished with the <code>dscacheutil -q group</code> for the domain, or <code>dscl . -list /Groups</code> for local groups.

### Linux

On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.</blockquote>

## Atomic Tests

- [Atomic Test #1 - Permission Groups Discovery](#atomic-test-1---permission-groups-discovery)

- [Atomic Test #2 - Permission Groups Discovery Windows](#atomic-test-2---permission-groups-discovery-windows)

- [Atomic Test #3 - Permission Groups Discovery PowerShell](#atomic-test-3---permission-groups-discovery-powershell)


<br/>

## Atomic Test #1 - Permission Groups Discovery
Permission Groups Discovery

**Supported Platforms:** macOS, Linux


#### Run it with `sh`!
```
dscacheutil -q group
dscl . -list /Groups
groups
```
<br/>
<br/>

## Atomic Test #2 - Permission Groups Discovery Windows
Permission Groups Discovery for Windows

**Supported Platforms:** Windows


#### Run it with `command_prompt`!
```
net localgroup
net group /domain
```
<br/>
<br/>

## Atomic Test #3 - Permission Groups Discovery PowerShell
Permission Groups Discovery utilizing PowerShell

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| user | User to identify what groups a user is a member of | string | administrator|

#### Run it with `powershell`!
```
get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name
```
<br/>