T1069.001: Local Groups

View on MITRE ATT&CK	T1069.001
Tactic(s)	Discovery

Data from MITRE ATT&CK®:

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Commands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...

View Source

Report

AA24-109A StopRansomware: Akira Ransomware

This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...

View Source

Report

StopRansomware: Rhysida Ransomware

This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...

View Source

How to detect this technique

MITRE ATT&CK Data Components

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Group Enumeration (Group)

An extracted list of available groups and/or their associated settings (ex: AWS list-groups)

OS API Execution (Process)

Operating system function/method calls executed by a process

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

SharpHound3 - LocalAdmin

WMIObject Group Discovery

Basic Permission Groups Discovery Windows (Local)

Permission Groups Discovery for Containers- Local Groups

Permission Groups Discovery PowerShell (Local)

Permission Groups Discovery (Local)

Wmic Group Discovery

Sigma Detections for this Technique

BloodHound Collection Files

windows file event

Malicious PowerShell Commandlets - ScriptBlock

windows ps script

Suspicious Get Local Groups Information

windows ps module

AD Groups Or Users Enumeration Using PowerShell - PoshModule

windows ps module

Suspicious Get Information for SMB Share - PowerShell Module

windows ps module

Local Groups Discovery - MacOs

macos process creation

Permission Check Via Accesschk.EXE

windows process creation

HackTool - Bloodhound/Sharphound Execution

windows process creation

Local Groups Reconnaissance Via Wmic.EXE

windows process creation

AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

windows ps script

Malicious PowerShell Commandlets - PoshModule

windows ps module

Suspicious Get Local Groups Information - PowerShell

windows ps script

Suspicious Get Information for SMB Share

windows ps script

Local Groups Discovery - Linux

linux process creation

Malicious PowerShell Commandlets - ProcessCreation

windows process creation