| Item |
Value |
| ID |
DET0114 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1069.001 (Local Groups)
Analytics
Windows
AN0317
Detects attempts to enumerate local groups via Net.exe, PowerShell, or native API calls that precede lateral movement or privilege abuse.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Time window between group enumeration and lateral movement or privilege escalation activity. |
| UserContext |
Whether the process was executed by a privileged or low-privilege account. |
Linux
AN0318
Detects enumeration of local groups using common binaries (groups, getent, cat /etc/group) or scripting with suspicious lineage.
Log Sources
Mutable Elements
| Field |
Description |
| ProcessName |
Detection tuning for binaries like groups, getent, awk, or cut that may be used in pipelines. |
| ParentProcess |
Used to determine whether enumeration was triggered by a script or terminal. |
macOS
AN0319
Detects use of dscl or id/group commands to enumerate local system groups, often by post-exploitation tools or persistence checks.
Log Sources
Mutable Elements
| Field |
Description |
| CommandLineContains |
Match on specific dscl paths like ‘/Groups’ or known enumeration options. |
| InteractiveSession |
Used to scope out enumeration from user terminals versus background utilities. |