atomic-red-team/atomics/T1069/T1069.md

# T1069 - Permission Groups Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1069)
<blockquote>Adversaries may attempt to find local system or domain-level groups and permissions settings. 

### Windows

Examples of commands that can list groups are <code>net group /domain</code> and <code>net localgroup</code> using the [Net](https://attack.mitre.org/software/S0039) utility.

### Mac

On Mac, this same thing can be accomplished with the <code>dscacheutil -q group</code> for the domain, or <code>dscl . -list /Groups</code> for local groups.

### Linux

On Linux, local groups can be enumerated with the <code>groups</code> command and domain groups via the <code>ldapsearch</code> command.

### Office 365 and Azure AD

With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft msrole)(Citation: GitHub Raindance)

Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command <code>az ad user get-member-groups</code> will list groups associated to a user account.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)</blockquote>

## Atomic Tests

- [Atomic Test #1 - Elevated group enumeration using net group](#atomic-test-1---elevated-group-enumeration-using-net-group)


<br/>

## Atomic Test #1 - Elevated group enumeration using net group
Runs 'net group' command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups

**Supported Platforms:** Windows


#### Run it with `command_prompt`! 
```
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma
```



<br/>