Skip to content

DET0179 Behavioral Detection of Permission Groups Discovery

Item Value
ID DET0179
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1069 (Permission Groups Discovery)

Analytics

Windows

AN0507

Detection of adversary enumeration of domain or local group memberships via native tools such as net.exe, PowerShell, or WMI. This activity may precede lateral movement or privilege escalation.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
CommandLineRegex Regex filters for matching suspicious group enumeration commands (e.g., ‘net group’, ‘Get-ADGroupMember’).
TimeWindow Time threshold for correlating group discovery with subsequent suspicious activity (e.g., lateral movement).
UserContext Whether the user performing discovery is in a sensitive group or running under unusual context (e.g., non-admin querying Domain Admins).

Linux

AN0508

Detection of group enumeration using commands like ‘id’, ‘groups’, or ‘getent group’, often followed by privilege escalation or SSH lateral movement.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
CommandLine Variations of enumeration commands tailored to different Linux distros (e.g., ‘getent group’, ‘cut -d’ in /etc/group parsing).
TTYSession TTY context or source terminal (remote shell vs local login) to reduce noise.

macOS

AN0509

Group membership checks via ‘dscl’, ‘dscacheutil’, or ‘id’, typically executed via terminal or automation scripts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process:launch
Mutable Elements
Field Description
CommandLine Filters for suspicious execution of ‘dscl . -read /Groups’, etc.
ParentProcess Flag group enumeration from automation tools (e.g., LaunchAgents or suspicious apps).