Which SIEM platforms have a T1069 detection rule?

df00tech provides T1069 (Permission Groups Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Permission Groups Discovery (T1069)?

Detecting Permission Groups Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1069 detection?

The T1069 detection is rated medium severity with medium confidence.

What are common false positives for T1069?

Common false positives for T1069 include: IT administrators and helpdesk staff routinely running net localgroup or net group to troubleshoot access issues; Active Directory management scripts and scheduled tasks using Get-ADGroup or Get-ADGroupMember for account provisioning; Security tools and monitoring agents (e.g., CrowdStrike, Tenable) that enumerate group memberships as part of posture assessment.

T1069

Permission Groups Discovery

Discovery Last updated: April 18, 2026

Adversaries may attempt to discover group and permission settings to understand which user accounts and groups are available, group memberships, and which users and groups have elevated permissions. This information informs targeting decisions and enables privilege escalation, lateral movement, and persistence planning. Common enumeration methods include native Windows commands (net group, net localgroup), PowerShell cmdlets (Get-ADGroup, Get-LocalGroup), LDAP queries, BloodHound/SharpHound collection, Linux identity commands (id, groups, getent group), and cloud-provider APIs. Threat actors including APT41, TA505, Volt Typhoon, and Scattered Spider have used these techniques in real-world intrusions.

What is T1069 Permission Groups Discovery?

Permission Groups Discovery (T1069) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Permission Groups Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1069 Permission Groups Discovery
Canonical reference: https://attack.mitre.org/techniques/T1069/

Microsoft Sentinel / Defender

kusto

let GroupDiscoveryCommands = dynamic([
  "net group", "net localgroup", "net user /domain",
  "Get-ADGroup", "Get-ADGroupMember", "Get-LocalGroup", "Get-LocalGroupMember",
  "dsquery group", "dsget group",
  "gpresult", "whoami /groups", "whoami /all",
  "id ", "id;", "groups ", "getent group",
  "SharpHound", "BloodHound"
]);
let SuspiciousParents = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // net.exe based group enumeration
    (FileName =~ "net.exe" or FileName =~ "net1.exe")
    and ProcessCommandLine has_any ("group", "localgroup")
  ) or (
    // PowerShell AD/local group cmdlets
    (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe")
    and ProcessCommandLine has_any ("Get-ADGroup", "Get-ADGroupMember", "Get-LocalGroup", "Get-LocalGroupMember", "Get-ADPrincipalGroupMembership")
  ) or (
    // dsquery/dsget LDAP group enumeration
    (FileName =~ "dsquery.exe" or FileName =~ "dsget.exe")
    and ProcessCommandLine has "group"
  ) or (
    // whoami with group flags — common post-exploitation recon
    FileName =~ "whoami.exe"
    and ProcessCommandLine has_any ("/groups", "/all", "/priv")
  ) or (
    // gpresult — Group Policy result showing group memberships
    FileName =~ "gpresult.exe"
  ) or (
    // BloodHound / SharpHound collector binaries
    ProcessCommandLine has_any ("SharpHound", "BloodHound", "-CollectionMethod", "--CollectionMethods")
  )
| extend IsDomainGroupQuery = ProcessCommandLine has_any ("/domain", "net group", "dsquery group", "Get-ADGroup")
| extend IsLocalGroupQuery = ProcessCommandLine has_any ("localgroup", "Get-LocalGroup", "whoami /groups")
| extend IsBloodHound = ProcessCommandLine has_any ("SharpHound", "BloodHound", "-CollectionMethod")
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsDomainGroupQuery, IsLocalGroupQuery, IsBloodHound, SuspiciousParent
| sort by Timestamp desc

Detects permission group discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Covers net.exe/net1.exe group enumeration (both local and domain), PowerShell AD cmdlets (Get-ADGroup, Get-ADGroupMember, Get-LocalGroup), dsquery/dsget LDAP queries, whoami /groups and /all flags, gpresult execution, and BloodHound/SharpHound collector usage. Flags whether each event targets domain groups, local groups, or appears to be automated BloodHound collection. Parent process context is captured to identify execution from unexpected interpreters.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators and helpdesk staff routinely running net localgroup or net group to troubleshoot access issues
Active Directory management scripts and scheduled tasks using Get-ADGroup or Get-ADGroupMember for account provisioning
Security tools and monitoring agents (e.g., CrowdStrike, Tenable) that enumerate group memberships as part of posture assessment
Software installation processes that check for membership in local Administrators or specific service groups
Legitimate BloodHound usage by authorized red team or vulnerability management teams with change management records
GPO deployment verification scripts using gpresult to confirm policy application to the correct groups

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval LowerCMD=lower(CommandLine)
| eval LowerImage=lower(Image)
| where
    (
      (match(LowerImage, "\\\\net\.exe$") OR match(LowerImage, "\\\\net1\.exe$"))
      AND (match(LowerCMD, "group") OR match(LowerCMD, "localgroup"))
    ) OR (
      (match(LowerImage, "\\\\powershell\.exe$") OR match(LowerImage, "\\\\pwsh\.exe$"))
      AND match(LowerCMD, "(get-adgroup|get-adgroupmember|get-localgroup|get-localgroupmember|get-adprincipalGroupmembership)")
    ) OR (
      (match(LowerImage, "\\\\dsquery\.exe$") OR match(LowerImage, "\\\\dsget\.exe$"))
      AND match(LowerCMD, "group")
    ) OR (
      match(LowerImage, "\\\\whoami\.exe$")
      AND match(LowerCMD, "(/groups|/all|/priv)")
    ) OR (
      match(LowerImage, "\\\\gpresult\.exe$")
    ) OR (
      match(LowerCMD, "(sharphound|bloodhound|-collectionmethod)")
    )
| eval IsDomainGroupQuery=if(match(LowerCMD, "(/domain|net group|dsquery group|get-adgroup)"), 1, 0)
| eval IsLocalGroupQuery=if(match(LowerCMD, "(localgroup|get-localgroup|whoami /groups)"), 1, 0)
| eval IsBloodHound=if(match(LowerCMD, "(sharphound|bloodhound|-collectionmethod)"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(wscript|cscript|mshta|rundll32|regsvr32)"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, IsDomainGroupQuery, IsLocalGroupQuery, IsBloodHound, SuspiciousParent
| sort - _time

Detects permission group discovery using Sysmon Event ID 1 (Process Creation) or Security Event ID 4688. Normalizes fields across both sourcetypes to handle environments with either or both configured. Covers net.exe/net1.exe group commands, PowerShell AD and local group cmdlets, dsquery/dsget group queries, whoami /groups and /all, gpresult, and BloodHound/SharpHound indicators. Flags domain vs local group queries and suspicious parent processes for analyst prioritization.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators and helpdesk staff routinely running net localgroup or net group to troubleshoot access issues
Active Directory management scripts and scheduled tasks using Get-ADGroup or Get-ADGroupMember for account provisioning
Security tools and monitoring agents enumerating group memberships as part of posture assessment
Software installation processes checking for local Administrators or specific service group membership
Authorized BloodHound usage by red team or vulnerability management teams
GPO deployment verification scripts using gpresult

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    process.name in~ ("net.exe", "net1.exe")
    and process.args : ("group", "localgroup")
  ) or (
    process.name in~ ("powershell.exe", "pwsh.exe")
    and process.command_line : ("*Get-ADGroup*", "*Get-ADGroupMember*", "*Get-LocalGroup*", "*Get-LocalGroupMember*", "*Get-ADPrincipalGroupMembership*")
  ) or (
    process.name in~ ("dsquery.exe", "dsget.exe")
    and process.command_line : "*group*"
  ) or (
    process.name : "whoami.exe"
    and process.args : ("/groups", "/all", "/priv")
  ) or (
    process.name : "gpresult.exe"
  ) or (
    process.command_line : ("*SharpHound*", "*BloodHound*", "*-CollectionMethod*", "*--CollectionMethods*")
  ) or (
    process.name in~ ("id", "groups", "getent")
    and process.parent.name in ("bash", "sh", "zsh", "dash", "python", "python3", "perl", "ruby")
  )
)

Detects permission group discovery activity (MITRE T1069) by monitoring process execution for Windows group enumeration commands (net group, dsquery, whoami /groups), PowerShell AD/local group cmdlets, BloodHound/SharpHound collectors, and Linux identity commands (id, groups, getent group). Covers both domain and local group enumeration patterns used by APT41, TA505, Volt Typhoon, and Scattered Spider.

medium severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat (Linux)

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

IT administrators running routine AD health checks or group membership audits using Get-ADGroup or net group commands during normal operations
Helpdesk staff using gpresult or whoami /groups to troubleshoot user permissions and Group Policy application issues
Legitimate security tools and SIEM agents enumerating local groups during asset inventory or compliance scanning
DevOps pipelines or configuration management tools (Ansible, Chef, Puppet) querying group membership to validate provisioning state
BloodHound or SharpHound legitimately run by red team or internal penetration testing teams with prior authorization

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '.*(/domain|net group|dsquery group|get-adgroup).*' THEN 'true'
    ELSE 'false'
  END AS is_domain_group_query,
  CASE
    WHEN LOWER("Command") MATCHES '.*(localgroup|get-localgroup|whoami /groups).*' THEN 'true'
    ELSE 'false'
  END AS is_local_group_query,
  CASE
    WHEN LOWER("Command") MATCHES '.*(sharphound|bloodhound|-collectionmethod).*' THEN 'true'
    ELSE 'false'
  END AS is_bloodhound,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*(wscript|cscript|mshta|rundll32|regsvr32).*' THEN 'true'
    ELSE 'false'
  END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15, 45)  /* Windows Security, Sysmon, Windows System */
  AND devicetime > (NOW() - 86400000)
  AND (
    (
      (LOWER("Process Name") MATCHES '.*\\\\net\.exe$' OR LOWER("Process Name") MATCHES '.*\\\\net1\.exe$')
      AND (LOWER("Command") MATCHES '.*group.*' OR LOWER("Command") MATCHES '.*localgroup.*')
    ) OR (
      (LOWER("Process Name") MATCHES '.*\\\\powershell\.exe$' OR LOWER("Process Name") MATCHES '.*\\\\pwsh\.exe$')
      AND LOWER("Command") MATCHES '.*(get-adgroup|get-adgroupmember|get-localgroup|get-localgroupmember|get-adprincipalgroupmembership).*'
    ) OR (
      (LOWER("Process Name") MATCHES '.*\\\\dsquery\.exe$' OR LOWER("Process Name") MATCHES '.*\\\\dsget\.exe$')
      AND LOWER("Command") MATCHES '.*group.*'
    ) OR (
      LOWER("Process Name") MATCHES '.*\\\\whoami\.exe$'
      AND LOWER("Command") MATCHES '.*/groups|/all|/priv.*'
    ) OR (
      LOWER("Process Name") MATCHES '.*\\\\gpresult\.exe$'
    ) OR (
      LOWER("Command") MATCHES '.*(sharphound|bloodhound|-collectionmethod|--collectionmethods).*'
    )
  )
ORDER BY devicetime DESC

QRadar AQL query detecting MITRE T1069 Permission Groups Discovery by monitoring process execution logs from Windows Security (EventCode 4688) and Sysmon sources. Identifies net.exe group enumeration, PowerShell AD/local group cmdlets, dsquery/dsget LDAP queries, whoami with privilege flags, gpresult execution, and BloodHound/SharpHound collector patterns. Enriches each event with classification flags for domain vs local group queries and BloodHound usage.

medium severity medium confidence

Data Sources

Windows Security Event Log (EventCode 4688) Sysmon via Windows Event Log QRadar Windows Log Source

Required Tables

events

False Positives

Active Directory administrators performing scheduled group membership audits or running Get-ADGroup as part of routine identity governance processes
IT support staff using whoami /groups or gpresult to diagnose policy application failures or permission issues during user escalations
Automated vulnerability scanners or EDR agents that enumerate local and domain groups as part of their asset profiling baseline
Configuration management platforms (Ansible, PowerShell DSC) that check group membership during provisioning workflows

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(EventCode=1|EventCode=4688|event_id=1|event_id=4688)/
| parse field=_raw "Image=*" as Image nodrop
| parse field=_raw "NewProcessName=*" as NewProcessName nodrop
| parse field=_raw "CommandLine=*" as CommandLine nodrop
| parse field=_raw "ProcessCommandLine=*" as ProcessCommandLine nodrop
| parse field=_raw "ParentImage=*" as ParentImage nodrop
| parse field=_raw "ParentProcessName=*" as ParentProcessName nodrop
| parse field=_raw "User=*" as User nodrop
| parse field=_raw "Computer=*" as Computer nodrop
| eval process_image = if(!isEmpty(Image), Image, NewProcessName)
| eval cmd_line = if(!isEmpty(CommandLine), CommandLine, ProcessCommandLine)
| eval parent_image = if(!isEmpty(ParentImage), ParentImage, ParentProcessName)
| eval lower_image = toLowerCase(process_image)
| eval lower_cmd = toLowerCase(cmd_line)
| where (
    (matches(lower_image, ".*\\\\net\.exe$") OR matches(lower_image, ".*\\\\net1\.exe$"))
    AND (matches(lower_cmd, ".*group.*") OR matches(lower_cmd, ".*localgroup.*"))
  ) OR (
    (matches(lower_image, ".*\\\\powershell\.exe$") OR matches(lower_image, ".*\\\\pwsh\.exe$"))
    AND matches(lower_cmd, ".*(get-adgroup|get-adgroupmember|get-localgroup|get-localgroupmember|get-adprincipalgroupmembership).*")
  ) OR (
    (matches(lower_image, ".*\\\\dsquery\.exe$") OR matches(lower_image, ".*\\\\dsget\.exe$"))
    AND matches(lower_cmd, ".*group.*")
  ) OR (
    matches(lower_image, ".*\\\\whoami\.exe$")
    AND matches(lower_cmd, ".*/groups.*|.*/all.*|.*/priv.*")
  ) OR (
    matches(lower_image, ".*\\\\gpresult\.exe$")
  ) OR (
    matches(lower_cmd, ".*(sharphound|bloodhound|-collectionmethod|--collectionmethods).*")
  )
| eval IsDomainGroupQuery = if(matches(lower_cmd, ".*/domain.*|.*net group.*|.*dsquery group.*|.*get-adgroup.*"), 1, 0)
| eval IsLocalGroupQuery = if(matches(lower_cmd, ".*localgroup.*|.*get-localgroup.*|.*whoami /groups.*"), 1, 0)
| eval IsBloodHound = if(matches(lower_cmd, ".*(sharphound|bloodhound|-collectionmethod).*"), 1, 0)
| eval SuspiciousParent = if(matches(toLowerCase(parent_image), ".*(wscript|cscript|mshta|rundll32|regsvr32).*"), 1, 0)
| fields _messageTime, Computer, User, process_image, cmd_line, parent_image, IsDomainGroupQuery, IsLocalGroupQuery, IsBloodHound, SuspiciousParent
| sort by _messageTime desc

Sumo Logic query detecting MITRE T1069 Permission Groups Discovery by parsing Windows Security (EventCode 4688) and Sysmon process creation events. Identifies group enumeration via net.exe, PowerShell AD/local group cmdlets, dsquery/dsget LDAP tools, whoami privilege queries, gpresult, and BloodHound/SharpHound collectors. Each event is enriched with classification flags indicating the type of group query and whether a suspicious parent process initiated the activity.

medium severity medium confidence

Data Sources

Windows Event Log (Security 4688, Sysmon EID 1) Sumo Logic Windows Collector Sumo Logic Cloud SIEM Enterprise

Required Tables

Windows event log sources via _sourceCategory

False Positives

System administrators performing routine AD group membership reviews or compliance checks using Get-ADGroup and related PowerShell cmdlets from management workstations
Help desk technicians running gpresult or whoami /all to troubleshoot GPO application or access permission issues for end users
Automated discovery agents from CyberArk, BeyondTrust, or similar PAM solutions enumerating privileged group memberships during account vaulting
Red team or penetration testing exercises using BloodHound/SharpHound with documented authorization and scope agreements

Google Chronicle / SecOps

yaral

rule mitre_t1069_permission_groups_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1069 Permission Groups Discovery via net.exe group enumeration, PowerShell AD/local group cmdlets, dsquery/dsget, whoami with group flags, gpresult, and BloodHound/SharpHound collectors"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1069"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1069/"
    severity = "MEDIUM"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $proc_path

    (
      // net.exe / net1.exe group enumeration
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)net1?\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)\bgroup\b`)
          or re.regex($e.target.process.command_line, `(?i)\blocalgroup\b`)
        )
      )
      or
      // PowerShell AD/local group cmdlets
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(Get-ADGroup|Get-ADGroupMember|Get-LocalGroup|Get-LocalGroupMember|Get-ADPrincipalGroupMembership)`)
      )
      or
      // dsquery / dsget LDAP group queries
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(dsquery|dsget)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\bgroup\b`)
      )
      or
      // whoami with group/privilege flags
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)whoami\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(/groups|/all|/priv)`)
      )
      or
      // gpresult — Group Policy result showing group memberships
      re.regex($e.target.process.file.full_path, `(?i)(\\|/)gpresult\.exe$`)
      or
      // BloodHound / SharpHound collection
      re.regex($e.target.process.command_line, `(?i)(SharpHound|BloodHound|-CollectionMethod|--CollectionMethods)`)
    )

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule detecting MITRE T1069 Permission Groups Discovery. Monitors PROCESS_LAUNCH UDM events for group enumeration via net.exe/net1.exe, PowerShell AD and local group cmdlets (Get-ADGroup, Get-LocalGroup families), dsquery/dsget LDAP group queries, whoami with /groups /all /priv flags, gpresult execution, and BloodHound/SharpHound collector invocations. Designed for the Chronicle UDM normalized event model.

medium severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder with Sysmon/Windows Security Chronicle UDM normalized process events

Required Tables

UDM events (PROCESS_LAUNCH type)

False Positives

IT administrators using Get-ADGroup or net group commands from privileged admin workstations during routine identity lifecycle management tasks
Group Policy troubleshooting workflows where helpdesk runs gpresult /r or whoami /groups to diagnose policy application failures
Authorized red team operators or internal penetration testers running BloodHound/SharpHound under a defined rules-of-engagement scope
Configuration management and deployment automation tools querying group membership to validate role-based access control configuration

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\|\/)((net|net1|powershell|pwsh|dsquery|dsget|whoami|gpresult)\.exe)$/
| CommandLine = /(?i)(group|localgroup|Get-ADGroup|Get-ADGroupMember|Get-LocalGroup|Get-LocalGroupMember|Get-ADPrincipalGroupMembership|dsquery group|dsget group|\/groups|\/all|\/priv|gpresult|SharpHound|BloodHound|-CollectionMethod|--CollectionMethods)/
| case {
    ImageFileName = /(?i)(\\|\/)net1?\.exe$/ AND CommandLine = /(?i)(group|localgroup)/ | IsDomainGroupQuery := if(CommandLine = /(?i)\/domain/, true, false), IsLocalGroupQuery := if(CommandLine = /(?i)localgroup/, true, false), QueryType := "net_group_enum" ;
    ImageFileName = /(?i)(\\|\/)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-ADGroup|Get-ADGroupMember|Get-LocalGroup|Get-LocalGroupMember|Get-ADPrincipalGroupMembership)/ | IsDomainGroupQuery := if(CommandLine = /(?i)Get-ADGroup/, true, false), IsLocalGroupQuery := if(CommandLine = /(?i)Get-LocalGroup/, true, false), QueryType := "powershell_group_enum" ;
    ImageFileName = /(?i)(\\|\/)(dsquery|dsget)\.exe$/ AND CommandLine = /(?i)group/ | IsDomainGroupQuery := true, IsLocalGroupQuery := false, QueryType := "ldap_group_enum" ;
    ImageFileName = /(?i)(\\|\/)whoami\.exe$/ AND CommandLine = /(?i)(\/groups|\/all|\/priv)/ | IsDomainGroupQuery := false, IsLocalGroupQuery := true, QueryType := "whoami_groups" ;
    ImageFileName = /(?i)(\\|\/)gpresult\.exe$/ | IsDomainGroupQuery := false, IsLocalGroupQuery := true, QueryType := "gpresult" ;
    CommandLine = /(?i)(SharpHound|BloodHound|-CollectionMethod|--CollectionMethods)/ | IsDomainGroupQuery := true, IsLocalGroupQuery := true, QueryType := "bloodhound_collection" ;
    * | QueryType := "other"
  }
| SuspiciousParent := if(ParentBaseFileName = /(?i)(wscript|cscript|mshta|rundll32|regsvr32)\.exe$/, true, false)
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, QueryType, IsDomainGroupQuery, IsLocalGroupQuery, SuspiciousParent])
| sort(field=@timestamp, order=desc)

CrowdStrike LogScale (Falcon) CQL query detecting MITRE T1069 Permission Groups Discovery using ProcessRollup2 events from the Falcon sensor. Detects net.exe/net1.exe group commands, PowerShell AD/local group cmdlets, dsquery/dsget LDAP group enumeration, whoami with privilege flags, gpresult, and BloodHound/SharpHound collection. Uses case expressions to classify each match by query type (domain vs local) and flags events originating from suspicious parent processes like wscript, cscript, mshta, rundll32, and regsvr32.

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon LogScale (Humio)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Active Directory administrators running Get-ADGroup, Get-ADGroupMember, or dsquery group from domain controller admin sessions as part of access review processes
IT helpdesk staff executing whoami /groups, whoami /all, or gpresult to verify Group Policy application and troubleshoot access issues
Privileged Access Management (PAM) solutions such as CyberArk or BeyondTrust periodically enumerating group memberships to build and maintain privileged access inventories
Authorized purple team exercises using BloodHound/SharpHound for AD attack path analysis within agreed engagement windows

Sigma rule & cross-platform mapping

The detection logic for Permission Groups Discovery (T1069) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1069 Sigma rules on detection.fyi

Platform-specific guides for T1069

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Local Group Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Two Process Create events for net.exe (or net1.exe, which net.exe spawns internally). CommandLine values: 'net localgroup' and 'net localgroup Administrators'. Security Event ID 4688 if command line auditing is enabled. Parent process will be cmd.exe or the shell used to execute the commands.
Test 2Domain Group Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Process Create for net.exe with CommandLine 'net group /domain' and 'net group "Domain Admins" /domain'. Network connection to domain controller on port 389 (LDAP) or 445 (SMB SAMR protocol). On the domain controller: Security Event ID 4661/4662 may fire for SAM group object access.
Test 3PowerShell Active Directory Group Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADGroup' and 'Get-ADGroupMember'. PowerShell ScriptBlock Log Event ID 4104 capturing the full script content. LDAP network traffic to domain controller on port 389/636.
Test 4whoami Group Membership Query
Expected signal: Sysmon Event ID 1: Two Process Create events for whoami.exe. CommandLine values: 'whoami /groups' and 'whoami /all'. No network traffic (local token query). Output includes SID values, group names, and enabled privileges — this data is often captured via screen scraping in interactive sessions.
Test 5Linux Group Discovery via id and getent
Expected signal: Linux auditd: syscall execve events for /usr/bin/id, /usr/bin/groups, /usr/bin/getent with respective arguments. Syslog entries if exec auditing is enabled. On systems with osquery or EDR agents: process creation events for each command with full argument lists.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1069 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Permission Groups Discovery

What is T1069 Permission Groups Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1069

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1069 Permission Groups Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1069

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox