EXPLORE

← Back to Explore

T1069.001

Local Groups

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list...

LinuxmacOSWindows

35

Detections

3

Sources

7

Threat Actors

BY SOURCE

15sigma14splunk_escu6elastic

PROCEDURES (25)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Lateral2 detections

Auto-extracted: 2 detections for lateral

Remote2 detections

Auto-extracted: 2 detections for remote

Powershell2 detections

Auto-extracted: 2 detections for powershell

Powershell2 detections

Auto-extracted: 2 detections for powershell

Wmi2 detections

Auto-extracted: 2 detections for wmi

Privilege2 detections

Auto-extracted: 2 detections for privilege

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Script Block1 detections

Auto-extracted: 1 detections for script block

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Azure1 detections

Auto-extracted: 1 detections for azure

Lateral1 detections

Auto-extracted: 1 detections for lateral

Unusual1 detections

Auto-extracted: 1 detections for unusual

Script Block1 detections

Auto-extracted: 1 detections for script block

Wmi1 detections

Auto-extracted: 1 detections for wmi

THREAT ACTORS (7)

admin@338 Chimera HEXANE OilRig Tonto Team Turla Volt Typhoon

DETECTIONS (35)

AD Groups Or Users Enumeration Using PowerShell - PoshModule

AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

BloodHound Collection Files

Detect AzureHound Command-Line Arguments

Detect AzureHound File Modifications

Detect SharpHound Command-Line Arguments

Detect SharpHound File Modifications

Detect SharpHound Usage

Enumeration of Administrator Accounts

Enumeration of Privileged Local Groups Membership

Enumeration of Users or Groups via Built-in Commands

Get WMIObject Group Discovery

Get WMIObject Group Discovery with Script Block Logging

HackTool - Bloodhound/Sharphound Execution

Local Groups Discovery - Linux

Local Groups Discovery - MacOs

sigmainformational

Local Groups Reconnaissance Via Wmic.EXE

Malicious PowerShell Commandlets - PoshModule

Malicious PowerShell Commandlets - ProcessCreation

Malicious PowerShell Commandlets - ScriptBlock

Network Traffic to Active Directory Web Services Protocol

Permission Check Via Accesschk.EXE

PowerShell Get LocalGroup Discovery

Powershell Get LocalGroup Discovery with Script Block Logging

PowerShell Suspicious Discovery Related Windows API Functions

Sudo Command Enumeration Detected

Suspicious Get Information for SMB Share

Suspicious Get Information for SMB Share - PowerShell Module

Suspicious Get Local Groups Information

Suspicious Get Local Groups Information - PowerShell

Unusual User Privilege Enumeration via id

Windows Admin Permission Discovery

Windows Group Discovery Via Net

Windows SOAPHound Binary Execution

Wmic Group Discovery