Detect Permission Groups Discovery in CrowdStrike LogScale
Adversaries may attempt to discover group and permission settings to understand which user accounts and groups are available, group memberships, and which users and groups have elevated permissions. This information informs targeting decisions and enables privilege escalation, lateral movement, and persistence planning. Common enumeration methods include native Windows commands (net group, net localgroup), PowerShell cmdlets (Get-ADGroup, Get-LocalGroup), LDAP queries, BloodHound/SharpHound collection, Linux identity commands (id, groups, getent group), and cloud-provider APIs. Threat actors including APT41, TA505, Volt Typhoon, and Scattered Spider have used these techniques in real-world intrusions.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1069 Permission Groups Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1069/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\|\/)((net|net1|powershell|pwsh|dsquery|dsget|whoami|gpresult)\.exe)$/
| CommandLine = /(?i)(group|localgroup|Get-ADGroup|Get-ADGroupMember|Get-LocalGroup|Get-LocalGroupMember|Get-ADPrincipalGroupMembership|dsquery group|dsget group|\/groups|\/all|\/priv|gpresult|SharpHound|BloodHound|-CollectionMethod|--CollectionMethods)/
| case {
ImageFileName = /(?i)(\\|\/)net1?\.exe$/ AND CommandLine = /(?i)(group|localgroup)/ | IsDomainGroupQuery := if(CommandLine = /(?i)\/domain/, true, false), IsLocalGroupQuery := if(CommandLine = /(?i)localgroup/, true, false), QueryType := "net_group_enum" ;
ImageFileName = /(?i)(\\|\/)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-ADGroup|Get-ADGroupMember|Get-LocalGroup|Get-LocalGroupMember|Get-ADPrincipalGroupMembership)/ | IsDomainGroupQuery := if(CommandLine = /(?i)Get-ADGroup/, true, false), IsLocalGroupQuery := if(CommandLine = /(?i)Get-LocalGroup/, true, false), QueryType := "powershell_group_enum" ;
ImageFileName = /(?i)(\\|\/)(dsquery|dsget)\.exe$/ AND CommandLine = /(?i)group/ | IsDomainGroupQuery := true, IsLocalGroupQuery := false, QueryType := "ldap_group_enum" ;
ImageFileName = /(?i)(\\|\/)whoami\.exe$/ AND CommandLine = /(?i)(\/groups|\/all|\/priv)/ | IsDomainGroupQuery := false, IsLocalGroupQuery := true, QueryType := "whoami_groups" ;
ImageFileName = /(?i)(\\|\/)gpresult\.exe$/ | IsDomainGroupQuery := false, IsLocalGroupQuery := true, QueryType := "gpresult" ;
CommandLine = /(?i)(SharpHound|BloodHound|-CollectionMethod|--CollectionMethods)/ | IsDomainGroupQuery := true, IsLocalGroupQuery := true, QueryType := "bloodhound_collection" ;
* | QueryType := "other"
}
| SuspiciousParent := if(ParentBaseFileName = /(?i)(wscript|cscript|mshta|rundll32|regsvr32)\.exe$/, true, false)
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, QueryType, IsDomainGroupQuery, IsLocalGroupQuery, SuspiciousParent])
| sort(field=@timestamp, order=desc)CrowdStrike LogScale (Falcon) CQL query detecting MITRE T1069 Permission Groups Discovery using ProcessRollup2 events from the Falcon sensor. Detects net.exe/net1.exe group commands, PowerShell AD/local group cmdlets, dsquery/dsget LDAP group enumeration, whoami with privilege flags, gpresult, and BloodHound/SharpHound collection. Uses case expressions to classify each match by query type (domain vs local) and flags events originating from suspicious parent processes like wscript, cscript, mshta, rundll32, and regsvr32.
Data Sources
Required Tables
False Positives & Tuning
- Active Directory administrators running Get-ADGroup, Get-ADGroupMember, or dsquery group from domain controller admin sessions as part of access review processes
- IT helpdesk staff executing whoami /groups, whoami /all, or gpresult to verify Group Policy application and troubleshoot access issues
- Privileged Access Management (PAM) solutions such as CyberArk or BeyondTrust periodically enumerating group memberships to build and maintain privileged access inventories
- Authorized purple team exercises using BloodHound/SharpHound for AD attack path analysis within agreed engagement windows
Other platforms for T1069
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Local Group Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Two Process Create events for net.exe (or net1.exe, which net.exe spawns internally). CommandLine values: 'net localgroup' and 'net localgroup Administrators'. Security Event ID 4688 if command line auditing is enabled. Parent process will be cmd.exe or the shell used to execute the commands.
- Test 2Domain Group Enumeration via net.exe
Expected signal: Sysmon Event ID 1: Process Create for net.exe with CommandLine 'net group /domain' and 'net group "Domain Admins" /domain'. Network connection to domain controller on port 389 (LDAP) or 445 (SMB SAMR protocol). On the domain controller: Security Event ID 4661/4662 may fire for SAM group object access.
- Test 3PowerShell Active Directory Group Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADGroup' and 'Get-ADGroupMember'. PowerShell ScriptBlock Log Event ID 4104 capturing the full script content. LDAP network traffic to domain controller on port 389/636.
- Test 4whoami Group Membership Query
Expected signal: Sysmon Event ID 1: Two Process Create events for whoami.exe. CommandLine values: 'whoami /groups' and 'whoami /all'. No network traffic (local token query). Output includes SID values, group names, and enabled privileges — this data is often captured via screen scraping in interactive sessions.
- Test 5Linux Group Discovery via id and getent
Expected signal: Linux auditd: syscall execve events for /usr/bin/id, /usr/bin/groups, /usr/bin/getent with respective arguments. Syslog entries if exec auditing is enabled. On systems with osquery or EDR agents: process creation events for each command with full argument lists.
References (11)
- https://attack.mitre.org/techniques/T1069/
- https://attack.mitre.org/techniques/T1069/001/
- https://attack.mitre.org/techniques/T1069/002/
- https://attack.mitre.org/techniques/T1069/003/
- https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-group
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
- https://github.com/BloodHoundAD/BloodHound
- https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
Unlock Pro Content
Get the full detection package for T1069 including response playbook, investigation guide, and atomic red team tests.