title: Permission Groups Discovery (T1069)
id: df00tech-t1069
status: experimental
description: "Adversaries may attempt to discover group and permission settings to understand which user accounts and groups are available, group memberships, and which users and groups have elevated permissions. This information informs targeting decisions and enables privilege escalation, lateral movement, and persistence planning. Common enumeration methods include native Windows commands (net group, net localgroup), PowerShell cmdlets (Get-ADGroup, Get-LocalGroup), LDAP queries, BloodHound/SharpHound collection, Linux identity commands (id, groups, getent group), and cloud-provider APIs. Threat actors including APT41, TA505, Volt Typhoon, and Scattered Spider have used these techniques in real-world intrusions."
references:
  - https://attack.mitre.org/techniques/T1069/
  - https://df00tech.com/detections/T1069
author: df00tech
date: 2026/04/18
tags:
  - attack.t1069
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators and helpdesk staff routinely running net localgroup or net group to troubleshoot access issues
  - Active Directory management scripts and scheduled tasks using Get-ADGroup or Get-ADGroupMember for account provisioning
  - "Security tools and monitoring agents (e.g., CrowdStrike, Tenable) that enumerate group memberships as part of posture assessment"
  - Software installation processes that check for membership in local Administrators or specific service groups
  - Legitimate BloodHound usage by authorized red team or vulnerability management teams with change management records
  - GPO deployment verification scripts using gpresult to confirm policy application to the correct groups
level: medium