Detect Domain Groups in Sumo Logic CSE
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Commands such as net group /domain, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups. Tools such as BloodHound, AdFind, and AD Explorer are also commonly used for this purpose by threat actors including OilRig, FIN7, Volt Typhoon, LAPSUS$, and ToddyCat.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1069 Permission Groups Discovery
- Sub-technique
- T1069.002 Domain Groups
- Canonical reference
- https://attack.mitre.org/techniques/T1069/002/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*)
| where %"EventCode" in ("1", "4688") OR EventCode in (1, 4688)
| eval CommandLine = if (!isNull(%"CommandLine"), %"CommandLine", if (!isNull(%"ProcessCommandLine"), %"ProcessCommandLine", ""))
| eval Image = if (!isNull(%"Image"), toLower(%"Image"), if (!isNull(%"NewProcessName"), toLower(%"NewProcessName"), ""))
| eval ParentImage = if (!isNull(%"ParentImage"), toLower(%"ParentImage"), if (!isNull(%"ParentProcessName"), toLower(%"ParentProcessName"), ""))
| eval CommandLineLower = toLower(CommandLine)
| eval IsNetGroup = if(
(Image matches "*\\net.exe" OR Image matches "*\\net1.exe")
AND CommandLineLower matches "* group *"
AND (
CommandLineLower matches "*/domain*" OR
CommandLineLower matches "*domain admins*" OR
CommandLineLower matches "*enterprise admins*" OR
CommandLineLower matches "*schema admins*" OR
CommandLineLower matches "*domain controllers*" OR
CommandLineLower matches "*group policy*"
), 1, 0)
| eval IsPowerShellAD = if(
(Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe")
AND (
CommandLineLower matches "*get-adgroup*" OR
CommandLineLower matches "*get-adgroupmember*" OR
CommandLineLower matches "*get-domaingroup*" OR
CommandLineLower matches "*get-netgroup*" OR
CommandLineLower matches "*directorysearcher*" OR
CommandLineLower matches "*objectclass=group*" OR
CommandLineLower matches "*samaccounttype*"
), 1, 0)
| eval IsADTool = if(
Image matches "*adfind.exe" OR
Image matches "*sharphound.exe" OR
Image matches "*bloodhound.exe" OR
Image matches "*adexplorer.exe" OR
Image matches "*adexplorer64.exe", 1, 0)
| eval IsDSQuery = if(
(Image matches "*\\dsquery.exe" OR Image matches "*\\dsget.exe")
AND CommandLineLower matches "*group*", 1, 0)
| eval DetectionScore = IsNetGroup + IsPowerShellAD + IsADTool + IsDSQuery
| where DetectionScore > 0
| eval DetectionMethod = if(IsNetGroup = 1, "net group /domain",
if(IsPowerShellAD = 1, "PowerShell AD Enumeration",
if(IsADTool = 1, "Known AD Enumeration Tool",
if(IsDSQuery = 1, "dsquery/dsget group", "Unknown"))))
| eval TargetingPrivilegedGroup = if(
CommandLineLower matches "*domain admins*" OR
CommandLineLower matches "*enterprise admins*" OR
CommandLineLower matches "*schema admins*" OR
CommandLineLower matches "*domain controllers*" OR
CommandLineLower matches "*group policy creator*", "true", "false")
| eval SuspiciousParent = if(
ParentImage matches "*wscript.exe" OR
ParentImage matches "*cscript.exe" OR
ParentImage matches "*mshta.exe" OR
ParentImage matches "*winword.exe" OR
ParentImage matches "*excel.exe" OR
ParentImage matches "*outlook.exe", "true", "false")
| fields _time, %"host", %"User", Image, CommandLine, ParentImage, DetectionMethod, TargetingPrivilegedGroup, SuspiciousParent, DetectionScore
| sort by _time descDetects T1069.002 domain group enumeration in Sumo Logic using Windows Security EventCode 4688 and Sysmon EventCode 1 process creation events. Implements a multi-signal scoring approach covering net group /domain, PowerShell AD cmdlets, known AD reconnaissance tools (AdFind, SharpHound, BloodHound, ADExplorer), and dsquery/dsget group commands. Enriches each alert with privileged group targeting flags and suspicious parent process context.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using Get-ADGroup or Get-ADGroupMember in PowerShell scripts during user onboarding, offboarding, or access reviews in Change Management windows
- Authorized penetration testing or Red Team exercises using AdFind, SharpHound, or BloodHound against the Active Directory environment with written authorization
- Enterprise identity management platforms (CyberArk, BeyondTrust, Saviynt) that enumerate domain group memberships as part of privileged access certification workflows
- Helpdesk tooling that invokes net group /domain to look up group membership during Tier 1 support calls
Other platforms for T1069.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Net Group Domain Admin Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=net.exe or net1.exe, CommandLine containing 'group' and '/domain'. Security Event ID 4688 (if command line auditing is enabled). On the domain controller, Security Event ID 4661 may appear if SACL auditing is configured on Domain Admins group object.
- Test 2PowerShell Active Directory Module Group Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADGroup' and 'Get-ADGroupMember'. Sysmon Event ID 3: LDAP network connections (port 389 or 3268) from powershell.exe to domain controller IP. PowerShell ScriptBlock Log Event ID 4104 with the full command. Sysmon Event ID 11: File creation event for groups_out.txt in %TEMP%.
- Test 3AdFind Domain Group Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=AdFind.exe, CommandLine containing '-f' and 'objectClass=group'. Sysmon Event ID 3: Network connections from AdFind.exe to domain controller on LDAP port 389 or Global Catalog port 3268. Sysmon Event ID 11: Output files created in %TEMP%. Prefetch file created at C:\Windows\Prefetch\ADFIND.EXE-*.pf.
- Test 4dsquery Group Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=dsquery.exe and Image=dsget.exe, CommandLine containing 'group'. Security Event ID 4688 if command line auditing is enabled. Sysmon Event ID 3: LDAP connections (port 389) from dsquery.exe to domain controller.
References (11)
- https://attack.mitre.org/techniques/T1069/002/
- https://attack.mitre.org/techniques/T1069/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer
- https://www.joeware.net/freetools/tools/adfind/
- https://bloodhound.readthedocs.io/en/latest/
- https://github.com/BloodHoundAD/BloodHound
- https://www.secureworks.com/blog/bronze-silhouette-volt-typhoon
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.kaspersky.com/about/press-releases/2023_toddycat
- https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts
Unlock Pro Content
Get the full detection package for T1069.002 including response playbook, investigation guide, and atomic red team tests.