T1069 Sumo Logic CSE · Sumo

Detect Permission Groups Discovery in Sumo Logic CSE

Adversaries may attempt to discover group and permission settings to understand which user accounts and groups are available, group memberships, and which users and groups have elevated permissions. This information informs targeting decisions and enables privilege escalation, lateral movement, and persistence planning. Common enumeration methods include native Windows commands (net group, net localgroup), PowerShell cmdlets (Get-ADGroup, Get-LocalGroup), LDAP queries, BloodHound/SharpHound collection, Linux identity commands (id, groups, getent group), and cloud-provider APIs. Threat actors including APT41, TA505, Volt Typhoon, and Scattered Spider have used these techniques in real-world intrusions.

MITRE ATT&CK

Tactic
Discovery
Technique
T1069 Permission Groups Discovery
Canonical reference
https://attack.mitre.org/techniques/T1069/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(EventCode=1|EventCode=4688|event_id=1|event_id=4688)/
| parse field=_raw "Image=*" as Image nodrop
| parse field=_raw "NewProcessName=*" as NewProcessName nodrop
| parse field=_raw "CommandLine=*" as CommandLine nodrop
| parse field=_raw "ProcessCommandLine=*" as ProcessCommandLine nodrop
| parse field=_raw "ParentImage=*" as ParentImage nodrop
| parse field=_raw "ParentProcessName=*" as ParentProcessName nodrop
| parse field=_raw "User=*" as User nodrop
| parse field=_raw "Computer=*" as Computer nodrop
| eval process_image = if(!isEmpty(Image), Image, NewProcessName)
| eval cmd_line = if(!isEmpty(CommandLine), CommandLine, ProcessCommandLine)
| eval parent_image = if(!isEmpty(ParentImage), ParentImage, ParentProcessName)
| eval lower_image = toLowerCase(process_image)
| eval lower_cmd = toLowerCase(cmd_line)
| where (
    (matches(lower_image, ".*\\\\net\.exe$") OR matches(lower_image, ".*\\\\net1\.exe$"))
    AND (matches(lower_cmd, ".*group.*") OR matches(lower_cmd, ".*localgroup.*"))
  ) OR (
    (matches(lower_image, ".*\\\\powershell\.exe$") OR matches(lower_image, ".*\\\\pwsh\.exe$"))
    AND matches(lower_cmd, ".*(get-adgroup|get-adgroupmember|get-localgroup|get-localgroupmember|get-adprincipalgroupmembership).*")
  ) OR (
    (matches(lower_image, ".*\\\\dsquery\.exe$") OR matches(lower_image, ".*\\\\dsget\.exe$"))
    AND matches(lower_cmd, ".*group.*")
  ) OR (
    matches(lower_image, ".*\\\\whoami\.exe$")
    AND matches(lower_cmd, ".*/groups.*|.*/all.*|.*/priv.*")
  ) OR (
    matches(lower_image, ".*\\\\gpresult\.exe$")
  ) OR (
    matches(lower_cmd, ".*(sharphound|bloodhound|-collectionmethod|--collectionmethods).*")
  )
| eval IsDomainGroupQuery = if(matches(lower_cmd, ".*/domain.*|.*net group.*|.*dsquery group.*|.*get-adgroup.*"), 1, 0)
| eval IsLocalGroupQuery = if(matches(lower_cmd, ".*localgroup.*|.*get-localgroup.*|.*whoami /groups.*"), 1, 0)
| eval IsBloodHound = if(matches(lower_cmd, ".*(sharphound|bloodhound|-collectionmethod).*"), 1, 0)
| eval SuspiciousParent = if(matches(toLowerCase(parent_image), ".*(wscript|cscript|mshta|rundll32|regsvr32).*"), 1, 0)
| fields _messageTime, Computer, User, process_image, cmd_line, parent_image, IsDomainGroupQuery, IsLocalGroupQuery, IsBloodHound, SuspiciousParent
| sort by _messageTime desc
medium severity medium confidence

Sumo Logic query detecting MITRE T1069 Permission Groups Discovery by parsing Windows Security (EventCode 4688) and Sysmon process creation events. Identifies group enumeration via net.exe, PowerShell AD/local group cmdlets, dsquery/dsget LDAP tools, whoami privilege queries, gpresult, and BloodHound/SharpHound collectors. Each event is enriched with classification flags indicating the type of group query and whether a suspicious parent process initiated the activity.

Data Sources

Windows Event Log (Security 4688, Sysmon EID 1)Sumo Logic Windows CollectorSumo Logic Cloud SIEM Enterprise

Required Tables

Windows event log sources via _sourceCategory

False Positives & Tuning

  • System administrators performing routine AD group membership reviews or compliance checks using Get-ADGroup and related PowerShell cmdlets from management workstations
  • Help desk technicians running gpresult or whoami /all to troubleshoot GPO application or access permission issues for end users
  • Automated discovery agents from CyberArk, BeyondTrust, or similar PAM solutions enumerating privileged group memberships during account vaulting
  • Red team or penetration testing exercises using BloodHound/SharpHound with documented authorization and scope agreements
Download portable Sigma rule (.yml)

Other platforms for T1069

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Local Group Enumeration via net.exe

    Expected signal: Sysmon Event ID 1: Two Process Create events for net.exe (or net1.exe, which net.exe spawns internally). CommandLine values: 'net localgroup' and 'net localgroup Administrators'. Security Event ID 4688 if command line auditing is enabled. Parent process will be cmd.exe or the shell used to execute the commands.

  2. Test 2Domain Group Enumeration via net.exe

    Expected signal: Sysmon Event ID 1: Process Create for net.exe with CommandLine 'net group /domain' and 'net group "Domain Admins" /domain'. Network connection to domain controller on port 389 (LDAP) or 445 (SMB SAMR protocol). On the domain controller: Security Event ID 4661/4662 may fire for SAM group object access.

  3. Test 3PowerShell Active Directory Group Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADGroup' and 'Get-ADGroupMember'. PowerShell ScriptBlock Log Event ID 4104 capturing the full script content. LDAP network traffic to domain controller on port 389/636.

  4. Test 4whoami Group Membership Query

    Expected signal: Sysmon Event ID 1: Two Process Create events for whoami.exe. CommandLine values: 'whoami /groups' and 'whoami /all'. No network traffic (local token query). Output includes SID values, group names, and enabled privileges — this data is often captured via screen scraping in interactive sessions.

  5. Test 5Linux Group Discovery via id and getent

    Expected signal: Linux auditd: syscall execve events for /usr/bin/id, /usr/bin/groups, /usr/bin/getent with respective arguments. Syslog entries if exec auditing is enabled. On systems with osquery or EDR agents: process creation events for each command with full argument lists.

Last updated: 2026-04-18 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1069 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1069.001Local GroupsT1069.002Domain GroupsT1069.003Cloud GroupsT1087.001Local AccountT1087.002Domain AccountT1033System Owner/User DiscoveryT1615Group Policy DiscoveryT1482Domain Trust DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain Accounts

Same Tactic: Discovery

Popular Detections