T1069.001 Google Chronicle · YARA-L

Detect Local Groups in Google Chronicle

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.

MITRE ATT&CK

Tactic
Discovery
Technique
T1069 Permission Groups Discovery
Sub-technique
T1069.001 Local Groups
Canonical reference
https://attack.mitre.org/techniques/T1069/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1069_001_local_group_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects local group enumeration consistent with MITRE ATT&CK T1069.001. Identifies net localgroup, PowerShell Get-LocalGroup/Get-LocalGroupMember, WMIC group queries, macOS dscl Groups listing, and Linux groups/id/getent commands, especially when targeting privileged groups or spawned from suspicious parent processes."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1069.001"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      // Windows net.exe / net1.exe localgroup
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\net\.exe|\\net1\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)localgroup`)
      ) or
      // PowerShell Get-LocalGroup / Get-LocalGroupMember
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\powershell\.exe|\\pwsh\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(get-localgroup|get-localgroupmember|localgroup)`)
      ) or
      // WMIC group query
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(\bgroup\b|localgroup)`)
      ) or
      // macOS dscl Groups listing
      (
        re.regex($e.target.process.file.full_path, `(?i)/dscl$`) and
        re.regex($e.target.process.command_line, `(?i)Groups`)
      ) or
      // Linux: groups, getent group
      (
        re.regex($e.target.process.file.full_path, `(?i)/(groups|getent)$`) and
        re.regex($e.target.process.command_line, `(?i)group`)
      ) or
      // Linux: id -Gn
      (
        re.regex($e.target.process.file.full_path, `(?i)/id$`) and
        re.regex($e.target.process.command_line, `(?i)(-G|-Gn)`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(
        re.regex($e.target.process.command_line, `(?i)(administrators|backup operators|remote desktop|power users|network configuration)`),
        40, 0
      ) +
      if(
        re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|python\.exe|python3|bash|/sh|zsh)$`),
        35, 0
      ) +
      if(
        re.regex($e.target.process.command_line, `(?i)(get-localgroup|get-localgroupmember)`),
        25, 0
      )
    )
    $target_cmd = array_distinct($e.target.process.command_line)
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid

  condition:
    $e
}
medium severity high confidence

Chronicle YARA-L 2.0 rule detecting local group enumeration (T1069.001) using UDM process launch events. Covers net localgroup, PowerShell LocalGroup cmdlets, WMIC group queries, macOS dscl, and Linux groups/id/getent commands. Risk scoring weights admin group targeting (+40), suspicious parent process (+35), and PowerShell LocalGroup cmdlets (+25). Aggregates over 5-minute windows per hostname.

Data Sources

Chronicle UDM (Unified Data Model) PROCESS_LAUNCH eventsGoogle Chronicle Forwarder ingesting Windows Event LogsChronicle Forwarder ingesting Sysmon XML eventsChronicle UDM normalization of Linux auditd execve events

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives & Tuning

  • System administrators using net localgroup or PowerShell Get-LocalGroupMember as part of documented operational runbooks for access reviews
  • Domain join and provisioning automation that validates local Administrators group membership post-build to confirm GPO application
  • Backup software agents (e.g., Veeam, Commvault) that enumerate local Backup Operators group membership at startup to verify required permissions
Download portable Sigma rule (.yml)

Other platforms for T1069.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Local Groups with net localgroup

    Expected signal: Sysmon Event ID 1: Two Process Create events with Image=C:\Windows\System32\net.exe, CommandLine='net localgroup' and 'net localgroup Administrators'. Security Event ID 4688 (if command line auditing enabled) with NewProcessName=net.exe and ProcessCommandLine containing 'localgroup'. Parent process will be cmd.exe or powershell.exe depending on execution context.

  2. Test 2Enumerate Local Groups with PowerShell Get-LocalGroup

    Expected signal: Sysmon Event ID 1: Two Process Create events with Image=powershell.exe, CommandLines containing 'Get-LocalGroup' and 'Get-LocalGroupMember'. PowerShell ScriptBlock Logging Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full cmdlets. Security Event ID 4688 if command line auditing is enabled.

  3. Test 3Enumerate Local Groups with WMIC

    Expected signal: Sysmon Event ID 1: Two Process Create events with Image=C:\Windows\System32\wbem\wmic.exe, CommandLines containing 'group list brief' and 'group where'. Security Event ID 4688 if command line auditing is enabled. WMI activity may also be captured in Event ID 5857-5861 from Microsoft-Windows-WMI-Activity/Operational.

  4. Test 4Enumerate Local Groups on Linux with groups and getent

    Expected signal: Auditd process creation events (if auditd is configured with -a always,exit -F arch=b64 -S execve rules) for groups, id, getent, and cat processes. Syslog entries if process accounting is enabled. On systems with Sysmon for Linux, Event ID 1 process creation events will be generated.

  5. Test 5Simulate Turla-style net localgroup output redirection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'net localgroup administrators' and output redirection '>>'. Sysmon Event ID 1: Child process net.exe spawned by cmd.exe with CommandLine 'net localgroup administrators'. Sysmon Event ID 11: File Create event for the output file in %TEMP%. Security Event ID 4688 for both cmd.exe and net.exe if process creation auditing is enabled.

Last updated: 2026-04-17 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1069.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1069Permission Groups Discovery

Related Sub-techniques

T1069.002Domain GroupsT1069.003Cloud Groups

Related Techniques

T1069Permission Groups DiscoveryT1069.002Domain GroupsT1087.001Local AccountT1087.002Domain AccountT1033System Owner/User DiscoveryT1082System Information DiscoveryT1016System Network Configuration DiscoveryT1049System Network Connections DiscoveryT1078.001Default AccountsT1136.001Local AccountT1078.003Local Accounts

Same Tactic: Discovery

Popular Detections