title: Domain Groups (T1069.002)
id: df00tech-t1069-002
status: experimental
description: "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Commands such as net group /domain, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups. Tools such as BloodHound, AdFind, and AD Explorer are also commonly used for this purpose by threat actors including OilRig, FIN7, Volt Typhoon, LAPSUS$, and ToddyCat."
references:
  - https://attack.mitre.org/techniques/T1069/002/
  - https://df00tech.com/detections/T1069.002
author: df00tech
date: 2026/04/17
tags:
  - attack.t1069.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators running legitimate Active Directory audits or health checks using net group or PowerShell AD cmdlets
  - Helpdesk staff using AD management tools to look up group memberships when resolving user access issues
  - "Monitoring and SIEM agents (e.g., Microsoft Defender for Identity, CrowdStrike Falcon) performing scheduled AD enumeration as part of their normal operation"
  - Automated scripts used during onboarding or offboarding processes that check group membership to provision or deprovision access
  - "Vulnerability scanners and compliance tools (e.g., Tenable, Qualys) that enumerate AD groups as part of their assessment scope"
level: medium