T1069.002 IBM QRadar · QRadar

Detect Domain Groups in IBM QRadar

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Commands such as net group /domain, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups. Tools such as BloodHound, AdFind, and AD Explorer are also commonly used for this purpose by threat actors including OilRig, FIN7, Volt Typhoon, LAPSUS$, and ToddyCat.

MITRE ATT&CK

Tactic
Discovery
Technique
T1069 Permission Groups Discovery
Sub-technique
T1069.002 Domain Groups
Canonical reference
https://attack.mitre.org/techniques/T1069/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  sourceip AS SourceIP,
  username AS UserName,
  "devicehostname" AS Hostname,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN LOWER("Image") LIKE '%\\net.exe' OR LOWER("Image") LIKE '%\\net1.exe' THEN 'net group /domain'
    WHEN LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe' THEN 'PowerShell AD Enumeration'
    WHEN LOWER("Image") LIKE '%adfind.exe' OR LOWER("Image") LIKE '%sharphound.exe' OR LOWER("Image") LIKE '%bloodhound.exe' THEN 'Known AD Enumeration Tool'
    WHEN LOWER("Image") LIKE '%\\dsquery.exe' OR LOWER("Image") LIKE '%\\dsget.exe' THEN 'dsquery/dsget group'
    ELSE 'Unknown'
  END AS DetectionMethod,
  CASE
    WHEN LOWER("CommandLine") LIKE '%domain admins%'
      OR LOWER("CommandLine") LIKE '%enterprise admins%'
      OR LOWER("CommandLine") LIKE '%schema admins%'
      OR LOWER("CommandLine") LIKE '%domain controllers%'
      OR LOWER("CommandLine") LIKE '%group policy creator%'
    THEN 1 ELSE 0
  END AS TargetingPrivilegedGroup
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 191, 396)
  AND (
    (
      (LOWER("Image") LIKE '%\\net.exe' OR LOWER("Image") LIKE '%\\net1.exe')
      AND LOWER("CommandLine") LIKE '% group %'
      AND (
        LOWER("CommandLine") LIKE '%/domain%' OR
        LOWER("CommandLine") LIKE '%domain admins%' OR
        LOWER("CommandLine") LIKE '%enterprise admins%' OR
        LOWER("CommandLine") LIKE '%schema admins%' OR
        LOWER("CommandLine") LIKE '%domain controllers%' OR
        LOWER("CommandLine") LIKE '%group policy%'
      )
    ) OR (
      (LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe')
      AND (
        LOWER("CommandLine") LIKE '%get-adgroup%' OR
        LOWER("CommandLine") LIKE '%get-adgroupmember%' OR
        LOWER("CommandLine") LIKE '%get-domaingroup%' OR
        LOWER("CommandLine") LIKE '%get-netgroup%' OR
        LOWER("CommandLine") LIKE '%directorysearcher%' OR
        LOWER("CommandLine") LIKE '%objectclass=group%' OR
        LOWER("CommandLine") LIKE '%samaccounttype%'
      )
    ) OR
      LOWER("Image") LIKE '%adfind.exe' OR
      LOWER("Image") LIKE '%sharphound.exe' OR
      LOWER("Image") LIKE '%bloodhound.exe' OR
      LOWER("Image") LIKE '%adexplorer.exe' OR
      LOWER("Image") LIKE '%adexplorer64.exe'
    OR (
      (LOWER("Image") LIKE '%\\dsquery.exe' OR LOWER("Image") LIKE '%\\dsget.exe')
      AND LOWER("CommandLine") LIKE '% group%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
medium severity high confidence

Detects T1069.002 domain group enumeration in IBM QRadar using AQL against Windows process execution events from Sysmon (EventCode 1) and Security audit logs (EventCode 4688). Covers net group /domain, PowerShell AD group cmdlets, known tools such as AdFind, SharpHound, and BloodHound, and dsquery/dsget group commands. LOGSOURCETYPEID values 12/13 are Microsoft Windows Security Event Log and Sysmon respectively; adjust for your environment's log source IDs.

Data Sources

Microsoft Windows Security Event Log (EventCode 4688)Sysmon Operational Log (EventCode 1)QRadar DSM for Microsoft WindowsQRadar DSM for Sysmon

Required Tables

events

False Positives & Tuning

  • Active Directory auditing scripts run by IT operations that enumerate domain groups for compliance reporting or ITSM change management workflows
  • Enterprise identity governance platforms (SailPoint, Saviynt, One Identity) that regularly query domain group membership to detect toxic combinations and certify access
  • Helpdesk automation tools running PowerShell Get-ADGroup against a service account to display user group memberships during password reset or access request workflows
  • Security scanning platforms (Tenable.ad, Semperis) legitimately enumerating group memberships for attack path analysis and exposure scoring
Download portable Sigma rule (.yml)

Other platforms for T1069.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Net Group Domain Admin Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. Security Event ID 4688 (if command line auditing is enabled). On the domain controller, Security Event ID 4661 may appear if SACL auditing is configured on Domain Admins group object.

  2. Test 2PowerShell Active Directory Module Group Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADGroup' and 'Get-ADGroupMember'. Sysmon Event ID 3: LDAP network connections (port 389 or 3268) from powershell.exe to domain controller IP. PowerShell ScriptBlock Log Event ID 4104 with the full command. Sysmon Event ID 11: File creation event for groups_out.txt in %TEMP%.

  3. Test 3AdFind Domain Group Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=AdFind.exe, CommandLine containing '-f' and 'objectClass=group'. Sysmon Event ID 3: Network connections from AdFind.exe to domain controller on LDAP port 389 or Global Catalog port 3268. Sysmon Event ID 11: Output files created in %TEMP%. Prefetch file created at C:\Windows\Prefetch\ADFIND.EXE-*.pf.

  4. Test 4dsquery Group Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=dsquery.exe and Image=dsget.exe, CommandLine containing 'group'. Security Event ID 4688 if command line auditing is enabled. Sysmon Event ID 3: LDAP connections (port 389) from dsquery.exe to domain controller.

Last updated: 2026-04-17 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1069.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1069Permission Groups Discovery

Related Sub-techniques

T1069.001Local GroupsT1069.003Cloud Groups

Related Techniques

T1069Permission Groups DiscoveryT1087.002Domain AccountT1615Group Policy DiscoveryT1482Domain Trust DiscoveryT1016System Network Configuration DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain AccountsT1110Brute ForceT1558Steal or Forge Kerberos Tickets

Same Tactic: Discovery

Popular Detections