Description
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Commands such as net localgroup of the Net utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups.
Platforms
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net localgroup</code> and <code>net localgroup Administrators</code> to enumerate group ... |
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used the <code>ShowLocalGroupDetails</code> command to identify administrator, user, and guest... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has run `net localgroup` to enumerate local groups.(Citation: Kaspersky Lyceum October 2021) |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command following exploitation of a machine with [LOWBALL](https://attack... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>net localgroup administrators</code> to identify accounts with local administrative r... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has run `net localgroup administrators` in compromised environments to enumerate accounts.(Cita... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>net localgroup administrators</code> to find local administrators on compromised system... |
Associated Software (21)
| ID | Name | Type | Context |
|---|---|---|---|
| S0201 | JPIN | Malware | [JPIN](https://attack.mitre.org/software/S0201) can obtain the permissions of the victim user.(Citation: Microsoft PLATINUM April 2016) |
| S0060 | Sys10 | Malware | [Sys10](https://attack.mitre.org/software/S0060) collects the group name of the logged-in user and sends it to the C2.(Citation: Baumgartner Naikon 20... |
| S0521 | BloodHound | Tool | [BloodHound](https://attack.mitre.org/software/S0521) can collect information about local groups and members.(Citation: CrowdStrike BloodHound April 2... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can obtain a list of local groups and members.(Citation: GitHub SILENTTRINITY Modules July 20... |
| S1179 | Exbyte | Malware | [Exbyte](https://attack.mitre.org/software/S1179) checks whether the process is running with privileged local access during execution.(Citation: Micro... |
| S0184 | POWRUNER | Malware | [POWRUNER](https://attack.mitre.org/software/S0184) may collect local group information by running <code>net localgroup administrators</code> or a ser... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use <code>net localgroup</code> to enable discovery of local groups.(Citation: Kaspersky QakBot ... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can use <code>net localgroup</code> to list local groups on a system.(Citation: Cobalt Strike... |
| S0039 | Net | Tool | Commands such as <code>net group</code> and <code>net localgroup</code> can be used in [Net](https://attack.mitre.org/software/S0039) to gather inform... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains modules, such as <code>Get-LocAdm</code> for enumerating permission groups.(Citation: GitHu... |
| S0265 | Kazuar | Malware | [Kazuar](https://attack.mitre.org/software/S0265) gathers information about local groups and members.(Citation: Unit 42 Kazuar May 2017) |
| S0082 | Emissary | Malware | [Emissary](https://attack.mitre.org/software/S0082) has the capability to execute the command <code>net localgroup administrators</code>.(Citation: Em... |
| S0696 | Flagpro | Malware | [Flagpro](https://attack.mitre.org/software/S0696) has been used to execute the <code>net localgroup administrators</code> command on a targeted syste... |
| S0572 | Caterpillar WebShell | Malware | [Caterpillar WebShell](https://attack.mitre.org/software/S0572) can obtain a list of local groups of users from a system.(Citation: ClearSky Lebanese ... |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can discover local group memberships.(Citation: ESET Turla Lunar toolset May 2024) |
| S0170 | Helminth | Malware | [Helminth](https://attack.mitre.org/software/S0170) has checked the local administrators group.(Citation: Unit 42 Playbook Dec 2017) |
| S0091 | Epic | Malware | [Epic](https://attack.mitre.org/software/S0091) gathers information on local group names.(Citation: Kaspersky Turla Aug 2014) |
| S0165 | OSInfo | Malware | [OSInfo](https://attack.mitre.org/software/S0165) has enumerated the local administrators group.(Citation: Symantec Buckeye) |
| S1198 | Gomir | Malware | [Gomir](https://attack.mitre.org/software/S1198) checks the effective group ID of its process when initially executed to determine if it is in group 0... |
| S0381 | FlawedAmmyy | Malware | [FlawedAmmyy](https://attack.mitre.org/software/S0381) enumerates the privilege level of the victim during the initial infection.(Citation: Proofpoint... |
Frequently Asked Questions
What is T1069.001 (Local Groups)?
T1069.001 is a MITRE ATT&CK technique named 'Local Groups'. It belongs to the Discovery tactic(s). Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to...
How can T1069.001 be detected?
Detection of T1069.001 (Local Groups) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1069.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1069.001?
Known threat groups using T1069.001 include: Turla, Tonto Team, HEXANE, admin@338, Chimera, Volt Typhoon, OilRig.