T1069.001

Local Groups

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.

Microsoft Sentinel / Defender

kusto

let LocalGroupCommands = dynamic([
  "net localgroup", "net1 localgroup",
  "Get-LocalGroup", "Get-LocalGroupMember",
  "dscl . -list /Groups", "dscl . list /Groups",
  "id -Gn", "groups ", "getent group",
  "ShowLocalGroupDetails"
]);
let SuspiciousGroupTargets = dynamic([
  "administrators", "admin", "remote desktop", "backup operators",
  "power users", "network configuration", "event log readers"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Windows net.exe / net1.exe commands
    (FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "localgroup")
    // PowerShell LocalGroup cmdlets
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-LocalGroup", "Get-LocalGroupMember", "Enumerate", "LocalGroup"))
    // macOS dscl
    or (FileName =~ "dscl" and ProcessCommandLine has "Groups")
    // Linux groups/id/getent
    or (FileName in~ ("groups", "id", "getent") and (ProcessCommandLine has "group" or FileName =~ "groups"))
    // WMIC
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("group", "localgroup"))
  )
| extend IsAdminGroupQuery = ProcessCommandLine has_any (SuspiciousGroupTargets)
| extend IsNetLocalGroup = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "localgroup"
| extend IsPowerShellLocalGroup = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-LocalGroup", "Get-LocalGroupMember")
| extend IsWmicGroup = FileName =~ "wmic.exe" and ProcessCommandLine has "group"
| extend SuspiciousParent = InitiatingProcessFileName in~ (
    "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "svchost.exe",
    "python.exe", "python3", "bash", "sh", "zsh"
  )
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName,
         IsAdminGroupQuery, IsNetLocalGroup, IsPowerShellLocalGroup, IsWmicGroup, SuspiciousParent
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators manually inventorying local group membership during routine system audits or change management
Endpoint management agents (SCCM, Intune, Tanium, CrowdStrike) that enumerate local groups as part of system inventory or compliance checks
Vulnerability scanners and security assessment tools (Nessus, Qualys, Rapid7) that enumerate local groups as part of credentialed scans
Helpdesk scripts and support tools that check local group membership before granting or revoking access
Legitimate user enumeration during Active Directory domain join procedures or user provisioning workflows

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval CommandLine_lower=lower(CommandLine)
| eval Image_lower=lower(Image)
| where (
    (match(Image_lower, "(\\\\net\.exe|\\\\net1\.exe)") AND match(CommandLine_lower, "localgroup"))
    OR (match(Image_lower, "(\\\\powershell\.exe|\\\\pwsh\.exe)") AND match(CommandLine_lower, "(get-localgroup|get-localgroupmember|localgroup)"))
    OR (match(Image_lower, "\\\\wmic\.exe") AND match(CommandLine_lower, "group"))
  )
| eval IsAdminGroupQuery=if(match(CommandLine_lower, "(administrators|admin|remote desktop|backup operators|power users)"), 1, 0)
| eval IsNetLocalGroup=if(match(Image_lower, "(net\.exe|net1\.exe)") AND match(CommandLine_lower, "localgroup"), 1, 0)
| eval IsPowerShellLocalGroup=if(match(Image_lower, "(powershell\.exe|pwsh\.exe)") AND match(CommandLine_lower, "(get-localgroup|get-localgroupmember)"), 1, 0)
| eval IsWmicGroup=if(match(Image_lower, "wmic\.exe") AND match(CommandLine_lower, "group"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|python\.exe|bash|sh)"), 1, 0)
| eval SuspicionScore=IsAdminGroupQuery + SuspiciousParent
| table _time, host, User, Image, CommandLine, ParentImage, IsAdminGroupQuery, IsNetLocalGroup, IsPowerShellLocalGroup, IsWmicGroup, SuspiciousParent, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

IT administrators manually inventorying local group membership during routine system audits or change management
Endpoint management agents (SCCM, Intune, Tanium, CrowdStrike) that enumerate local groups as part of system inventory or compliance checks
Vulnerability scanners and security assessment tools (Nessus, Qualys, Rapid7) that enumerate local groups as part of credentialed scans
Helpdesk scripts and support tools that check local group membership before granting or revoking access
Legitimate user enumeration during Active Directory domain join procedures or user provisioning workflows

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=30s
  [process where event.type == "start" and
    (
      (process.name in~ ("net.exe", "net1.exe") and process.args : "localgroup") or
      (process.name in~ ("powershell.exe", "pwsh.exe") and process.args : ("Get-LocalGroup", "Get-LocalGroupMember", "*LocalGroup*")) or
      (process.name == "wmic.exe" and process.args : ("group", "localgroup")) or
      (process.name == "dscl" and process.args : "Groups") or
      (process.name in~ ("groups", "id", "getent") and (process.args : "group" or process.name == "groups"))
    )
  ] by process.pid

/* Standalone alert for single-event detection */
/* Use this simpler form if sequence is not needed: */
/*
process where event.type == "start" and
  (
    (process.name in~ ("net.exe", "net1.exe") and process.args : "localgroup") or
    (process.name in~ ("powershell.exe", "pwsh.exe") and process.args : ("Get-LocalGroup", "Get-LocalGroupMember")) or
    (process.name == "wmic.exe" and process.args : ("group", "localgroup")) or
    (process.name == "dscl" and process.args : "Groups") or
    (process.name in~ ("groups", "id", "getent") and process.args : "group")
  ) and
  (
    process.args : ("administrators", "admin", "remote desktop", "backup operators", "power users") or
    process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "python.exe", "python3", "bash", "sh", "zsh")
  )
*/

medium severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.process) Winlogbeat with Sysmon (event.code:1) Auditbeat (auditd module) Filebeat with system module

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

IT administrators running inventory or compliance scripts that enumerate local group membership across endpoints
Configuration management tools (Ansible, Chef, Puppet) that enumerate local groups to verify system state
Security scanners (Tenable, Qualys, Rapid7) performing authenticated vulnerability assessments that check local group membership
Helpdesk staff legitimately checking group membership when troubleshooting user permission issues via net localgroup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "hostname",
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '.*administrators.*' THEN 1
    WHEN LOWER("Command") MATCHES '.*backup operators.*' THEN 1
    WHEN LOWER("Command") MATCHES '.*remote desktop.*' THEN 1
    WHEN LOWER("Command") MATCHES '.*power users.*' THEN 1
    ELSE 0
  END AS is_admin_group_query,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*(net\.exe|net1\.exe)' AND LOWER("Command") MATCHES '.*localgroup.*' THEN 1
    ELSE 0
  END AS is_net_localgroup,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe)' AND LOWER("Command") MATCHES '.*(get-localgroup|get-localgroupmember).*' THEN 1
    ELSE 0
  END AS is_ps_localgroup,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*wmic\.exe' AND LOWER("Command") MATCHES '.*(group|localgroup).*' THEN 1
    ELSE 0
  END AS is_wmic_group,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|python\.exe|bash|sh)' THEN 1
    ELSE 0
  END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("Process Name") MATCHES '.*(net\.exe|net1\.exe)' AND LOWER("Command") MATCHES '.*localgroup.*')
    OR (LOWER("Process Name") MATCHES '.*(powershell\.exe|pwsh\.exe)' AND LOWER("Command") MATCHES '.*(get-localgroup|get-localgroupmember|localgroup).*')
    OR (LOWER("Process Name") MATCHES '.*wmic\.exe' AND LOWER("Command") MATCHES '.*(group|localgroup).*')
    OR (LOWER("Process Name") MATCHES '.*dscl' AND LOWER("Command") MATCHES '.*groups.*')
    OR (LOWER("Process Name") MATCHES '.*(\bgroups\b|\bid\b|getent)' AND LOWER("Command") MATCHES '.*group.*')
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log (Event ID 4688) Sysmon Event ID 1 (Process Create) Linux Audit Log (auditd execve) macOS Unified Log (process execution)

Required Tables

events

False Positives

Scheduled compliance auditing scripts run by IT operations teams to enumerate local group membership for reporting
Remote monitoring and management (RMM) tools such as ConnectWise Automate or NinjaRMM executing group queries as part of endpoint health checks
System Center Configuration Manager (SCCM) hardware/software inventory collections that enumerate local groups
Active Directory group policy verification scripts checking local group membership to validate GPO application

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=linux/secure OR _sourceCategory=linux/audit
| parse "Image: *" as process_image nodrop
| parse "CommandLine: *" as command_line nodrop
| parse "ParentImage: *" as parent_image nodrop
| parse "User: *" as user nodrop
| parse "Computer: *" as hostname nodrop
| parse "NewProcessName: *" as new_process_name nodrop
| parse "ProcessCommandLine: *" as process_command_line nodrop
| where (
    // Windows net.exe / net1.exe
    (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*\\(net\.exe|net1\.exe)")
      AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*localgroup.*"))
    // PowerShell LocalGroup cmdlets
    OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*\\(powershell\.exe|pwsh\.exe)")
      AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*(get-localgroup|get-localgroupmember|localgroup).*"))
    // WMIC group
    OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*\\wmic\.exe")
      AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*(group|localgroup).*"))
    // macOS dscl
    OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*dscl")
      AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*groups.*"))
    // Linux groups/id/getent
    OR matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*(\bgroups\b|getent)")
    OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*/id")
      AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*(group|-G).*"))
  )
| eval cmd = toLowerCase(if(isNull(command_line), process_command_line, command_line))
| eval img = toLowerCase(if(isNull(process_image), new_process_name, process_image))
| eval parent = toLowerCase(if(!isNull(parent_image), parent_image, ""))
| eval is_admin_group_query = if(matches(cmd, ".*(administrators|admin|remote desktop|backup operators|power users|network configuration).*"), 1, 0)
| eval is_net_localgroup = if(matches(img, ".*(net\.exe|net1\.exe)") AND matches(cmd, ".*localgroup.*"), 1, 0)
| eval is_ps_localgroup = if(matches(img, ".*(powershell\.exe|pwsh\.exe)") AND matches(cmd, ".*(get-localgroup|get-localgroupmember).*"), 1, 0)
| eval is_wmic_group = if(matches(img, ".*wmic\.exe") AND matches(cmd, ".*(group|localgroup).*"), 1, 0)
| eval suspicious_parent = if(matches(parent, ".*(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|python\.exe|python3|bash|sh|zsh).*"), 1, 0)
| eval suspicion_score = is_admin_group_query + suspicious_parent
| fields _messageTime, hostname, user, img, cmd, parent, is_admin_group_query, is_net_localgroup, is_ps_localgroup, is_wmic_group, suspicious_parent, suspicion_score
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sysmon (Event ID 1 - Process Create) Windows Security Event Log (Event ID 4688 - Process Creation) Linux syslog / auditd macOS Unified Logging

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security _sourceCategory=linux/secure _sourceCategory=linux/audit

False Positives

IT support staff troubleshooting user access issues by manually checking local group membership with net localgroup
Automated build or test pipelines on CI/CD agents that enumerate group membership to validate environment configuration
SIEM and EDR agents themselves checking local group membership during installation or health checks
Penetration testing engagements using authorized tooling such as BloodHound, PowerView, or manual net commands against in-scope systems

Google Chronicle / SecOps

yaral

rule t1069_001_local_group_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects local group enumeration consistent with MITRE ATT&CK T1069.001. Identifies net localgroup, PowerShell Get-LocalGroup/Get-LocalGroupMember, WMIC group queries, macOS dscl Groups listing, and Linux groups/id/getent commands, especially when targeting privileged groups or spawned from suspicious parent processes."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1069.001"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      // Windows net.exe / net1.exe localgroup
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\net\.exe|\\net1\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)localgroup`)
      ) or
      // PowerShell Get-LocalGroup / Get-LocalGroupMember
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\powershell\.exe|\\pwsh\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(get-localgroup|get-localgroupmember|localgroup)`)
      ) or
      // WMIC group query
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(\bgroup\b|localgroup)`)
      ) or
      // macOS dscl Groups listing
      (
        re.regex($e.target.process.file.full_path, `(?i)/dscl$`) and
        re.regex($e.target.process.command_line, `(?i)Groups`)
      ) or
      // Linux: groups, getent group
      (
        re.regex($e.target.process.file.full_path, `(?i)/(groups|getent)$`) and
        re.regex($e.target.process.command_line, `(?i)group`)
      ) or
      // Linux: id -Gn
      (
        re.regex($e.target.process.file.full_path, `(?i)/id$`) and
        re.regex($e.target.process.command_line, `(?i)(-G|-Gn)`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($e.target.process.command_line, `(?i)(administrators|backup operators|remote desktop|power users|network configuration)`),
        40, 0
      ) +
      if(
        re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|python\.exe|python3|bash|/sh|zsh)$`),
        35, 0
      ) +
      if(
        re.regex($e.target.process.command_line, `(?i)(get-localgroup|get-localgroupmember)`),
        25, 0
      )
    )
    $target_cmd = array_distinct($e.target.process.command_line)
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid

  condition:
    $e
}

medium severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) PROCESS_LAUNCH events Google Chronicle Forwarder ingesting Windows Event Logs Chronicle Forwarder ingesting Sysmon XML events Chronicle UDM normalization of Linux auditd execve events

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

System administrators using net localgroup or PowerShell Get-LocalGroupMember as part of documented operational runbooks for access reviews
Domain join and provisioning automation that validates local Administrators group membership post-build to confirm GPO application
Backup software agents (e.g., Veeam, Commvault) that enumerate local Backup Operators group membership at startup to verify required permissions

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (Falcon) — T1069.001 Local Group Enumeration Detection
// Requires Falcon Insight EDR with process telemetry enabled

#event_simpleName = ProcessRollup2
| eval FileName_lower = lower(FileName)
| eval CommandLine_lower = lower(CommandLine)
| eval ParentBaseFileName_lower = lower(ParentBaseFileName)
| where
    // Windows net.exe / net1.exe localgroup
    (FileName_lower in ("net.exe", "net1.exe") and CommandLine_lower = /localgroup/)
    // PowerShell Get-LocalGroup / Get-LocalGroupMember
    or (FileName_lower in ("powershell.exe", "pwsh.exe") and CommandLine_lower = /(get-localgroup|get-localgroupmember|localgroup)/)
    // WMIC group query
    or (FileName_lower = "wmic.exe" and CommandLine_lower = /(\bgroup\b|localgroup)/)
    // macOS dscl Groups
    or (FileName_lower = "dscl" and CommandLine_lower = /groups/i)
    // Linux groups binary
    or FileName_lower = "groups"
    // Linux getent group
    or (FileName_lower = "getent" and CommandLine_lower = /group/)
    // Linux id -Gn
    or (FileName_lower = "id" and CommandLine_lower = /(-G|-Gn)/)
| eval IsAdminGroupQuery = if(
    CommandLine_lower = /(administrators|admin|remote desktop|backup operators|power users|network configuration)/,
    1, 0
  )
| eval IsNetLocalGroup = if(
    FileName_lower in ("net.exe", "net1.exe") and CommandLine_lower = /localgroup/,
    1, 0
  )
| eval IsPowerShellLocalGroup = if(
    FileName_lower in ("powershell.exe", "pwsh.exe") and CommandLine_lower = /(get-localgroup|get-localgroupmember)/,
    1, 0
  )
| eval IsWmicGroup = if(
    FileName_lower = "wmic.exe" and CommandLine_lower = /(group|localgroup)/,
    1, 0
  )
| eval SuspiciousParent = if(
    ParentBaseFileName_lower = /(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|python\.exe|python3|bash|\bsh\b|zsh)/,
    1, 0
  )
| eval SuspicionScore = IsAdminGroupQuery + SuspiciousParent
| table
    @timestamp,
    ComputerName,
    UserName,
    FileName,
    CommandLine,
    ParentBaseFileName,
    IsAdminGroupQuery,
    IsNetLocalGroup,
    IsPowerShellLocalGroup,
    IsWmicGroup,
    SuspiciousParent,
    SuspicionScore
| sort @timestamp desc

medium severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2 events) Falcon Endpoint Activity Monitoring CrowdStrike Falcon Data Replicator (FDR) process telemetry

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Falcon sensor itself or CrowdStrike RTR (Real Time Response) sessions executing group enumeration commands during authorized incident response investigations
Software deployment pipelines using SCCM, Intune, or similar tools that verify local group membership before installing software requiring elevated rights
IT operations personnel using automated scripts to audit local Administrators group membership across the fleet for CIS benchmark compliance reporting
Vulnerability management platforms performing credentialed scans that enumerate local groups to assess privilege escalation exposure

Last updated: 2026-04-17 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1069.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Local Groups

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections