Detect Local Groups in Sumo Logic CSE
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1069 Permission Groups Discovery
- Sub-technique
- T1069.001 Local Groups
- Canonical reference
- https://attack.mitre.org/techniques/T1069/001/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=linux/secure OR _sourceCategory=linux/audit
| parse "Image: *" as process_image nodrop
| parse "CommandLine: *" as command_line nodrop
| parse "ParentImage: *" as parent_image nodrop
| parse "User: *" as user nodrop
| parse "Computer: *" as hostname nodrop
| parse "NewProcessName: *" as new_process_name nodrop
| parse "ProcessCommandLine: *" as process_command_line nodrop
| where (
// Windows net.exe / net1.exe
(matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*\\(net\.exe|net1\.exe)")
AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*localgroup.*"))
// PowerShell LocalGroup cmdlets
OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*\\(powershell\.exe|pwsh\.exe)")
AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*(get-localgroup|get-localgroupmember|localgroup).*"))
// WMIC group
OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*\\wmic\.exe")
AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*(group|localgroup).*"))
// macOS dscl
OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*dscl")
AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*groups.*"))
// Linux groups/id/getent
OR matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*(\bgroups\b|getent)")
OR (matches(toLowerCase(if(isNull(process_image), new_process_name, process_image)), ".*/id")
AND matches(toLowerCase(if(isNull(command_line), process_command_line, command_line)), ".*(group|-G).*"))
)
| eval cmd = toLowerCase(if(isNull(command_line), process_command_line, command_line))
| eval img = toLowerCase(if(isNull(process_image), new_process_name, process_image))
| eval parent = toLowerCase(if(!isNull(parent_image), parent_image, ""))
| eval is_admin_group_query = if(matches(cmd, ".*(administrators|admin|remote desktop|backup operators|power users|network configuration).*"), 1, 0)
| eval is_net_localgroup = if(matches(img, ".*(net\.exe|net1\.exe)") AND matches(cmd, ".*localgroup.*"), 1, 0)
| eval is_ps_localgroup = if(matches(img, ".*(powershell\.exe|pwsh\.exe)") AND matches(cmd, ".*(get-localgroup|get-localgroupmember).*"), 1, 0)
| eval is_wmic_group = if(matches(img, ".*wmic\.exe") AND matches(cmd, ".*(group|localgroup).*"), 1, 0)
| eval suspicious_parent = if(matches(parent, ".*(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|python\.exe|python3|bash|sh|zsh).*"), 1, 0)
| eval suspicion_score = is_admin_group_query + suspicious_parent
| fields _messageTime, hostname, user, img, cmd, parent, is_admin_group_query, is_net_localgroup, is_ps_localgroup, is_wmic_group, suspicious_parent, suspicion_score
| sort by _messageTime descSumo Logic CSE detection for local group enumeration (T1069.001) across Windows, macOS, and Linux. Parses Sysmon Event ID 1 and Windows Security Event 4688 process creation events to identify net localgroup, PowerShell Get-LocalGroup/Get-LocalGroupMember, WMIC group queries, macOS dscl group listing, and Linux groups/id/getent commands. Computes suspicion scoring for admin group targeting and suspicious parent process chains.
Data Sources
Required Tables
False Positives & Tuning
- IT support staff troubleshooting user access issues by manually checking local group membership with net localgroup
- Automated build or test pipelines on CI/CD agents that enumerate group membership to validate environment configuration
- SIEM and EDR agents themselves checking local group membership during installation or health checks
- Penetration testing engagements using authorized tooling such as BloodHound, PowerView, or manual net commands against in-scope systems
Other platforms for T1069.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Local Groups with net localgroup
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=C:\Windows\System32\net.exe, CommandLine='net localgroup' and 'net localgroup Administrators'. Security Event ID 4688 (if command line auditing enabled) with NewProcessName=net.exe and ProcessCommandLine containing 'localgroup'. Parent process will be cmd.exe or powershell.exe depending on execution context.
- Test 2Enumerate Local Groups with PowerShell Get-LocalGroup
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=powershell.exe, CommandLines containing 'Get-LocalGroup' and 'Get-LocalGroupMember'. PowerShell ScriptBlock Logging Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full cmdlets. Security Event ID 4688 if command line auditing is enabled.
- Test 3Enumerate Local Groups with WMIC
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=C:\Windows\System32\wbem\wmic.exe, CommandLines containing 'group list brief' and 'group where'. Security Event ID 4688 if command line auditing is enabled. WMI activity may also be captured in Event ID 5857-5861 from Microsoft-Windows-WMI-Activity/Operational.
- Test 4Enumerate Local Groups on Linux with groups and getent
Expected signal: Auditd process creation events (if auditd is configured with -a always,exit -F arch=b64 -S execve rules) for groups, id, getent, and cat processes. Syslog entries if process accounting is enabled. On systems with Sysmon for Linux, Event ID 1 process creation events will be generated.
- Test 5Simulate Turla-style net localgroup output redirection
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'net localgroup administrators' and output redirection '>>'. Sysmon Event ID 1: Child process net.exe spawned by cmd.exe with CommandLine 'net localgroup administrators'. Sysmon Event ID 11: File Create event for the output file in %TEMP%. Security Event ID 4688 for both cmd.exe and net.exe if process creation auditing is enabled.
References (12)
- https://attack.mitre.org/techniques/T1069/001/
- https://attack.mitre.org/software/S0039/
- https://attack.mitre.org/software/S0521/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-localgroup
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localgroup
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.welivesecurity.com/2020/05/26/agentbtz-comrat-ten-years/
- https://www.mandiant.com/resources/blog/admin338
- https://www.microsoft.com/en-us/security/blog/2016/04/29/digging-deep-for-platinum/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.crowdstrike.com/blog/understanding-active-directory-attack-tools/
Unlock Pro Content
Get the full detection package for T1069.001 including response playbook, investigation guide, and atomic red team tests.