title: Local Groups (T1069.001)
id: df00tech-t1069-001
status: experimental
description: "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups."
references:
  - https://attack.mitre.org/techniques/T1069/001/
  - https://df00tech.com/detections/T1069.001
author: df00tech
date: 2026/04/17
tags:
  - attack.t1069.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators manually inventorying local group membership during routine system audits or change management
  - "Endpoint management agents (SCCM, Intune, Tanium, CrowdStrike) that enumerate local groups as part of system inventory or compliance checks"
  - "Vulnerability scanners and security assessment tools (Nessus, Qualys, Rapid7) that enumerate local groups as part of credentialed scans"
  - Helpdesk scripts and support tools that check local group membership before granting or revoking access
  - Legitimate user enumeration during Active Directory domain join procedures or user provisioning workflows
level: medium