Description
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.
Platforms
Threat Groups (13)
| ID | Group | Context |
|---|---|---|
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has used the AD Explorer tool to enumerate groups on a victim's network.(Citation: MSTIC DEV-0537 Mar... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has executed `net group "domain admins" /dom` for discovery on compromised machines.(Citation: Kaspe... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has run `net group` in compromised environments to discover domain groups.(Citation: Secureworks... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>net group /domain</code>, <code>net group “domain admins” /domain</code>, and <code>net... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged [AdFind](https://attack.mitre.org/software/S0552) to enumerate domain groups.(Cit... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used the command `net group "domain admins" /domain` to enumerate domain groups.(Citation: Mandiant ... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has enumerated domain groups on targeted hosts.(Citation: Huntress INC Ransom Group August 2023) |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs discovery of permission groups <code>net group /domain</code>.(Citation: Mandiant Operation... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net group "Domain Admins" /domain</code> to identify domain administrators.(Citation: ES... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has used specific malware modules to gather domain membership.(Citation: Symantec Inception Framewo... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized the `net group` command to query domain groups within the victim environment.(Citat... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has enumerated Active Directory security groups including through the use of ADExplorer, AD... |
Associated Software (23)
| ID | Name | Type | Context |
|---|---|---|---|
| S0236 | Kwampirs | Malware | [Kwampirs](https://attack.mitre.org/software/S0236) collects a list of domain groups with the command <code>net localgroup /domain</code>.(Citation: S... |
| S0039 | Net | Tool | Commands such as <code>net group /domain</code> can be used in [Net](https://attack.mitre.org/software/S0039) to gather information about and manipula... |
| S0521 | BloodHound | Tool | [BloodHound](https://attack.mitre.org/software/S0521) can collect information about domain groups and members.(Citation: CrowdStrike BloodHound April ... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can use `System.DirectoryServices` namespace to retrieve domain group information.(Citation: ... |
| S1138 | Gootloader | Malware | [Gootloader](https://attack.mitre.org/software/S1138) can determine if a targeted system is part of an Active Directory domain by expanding the %USER... |
| S0417 | GRIFFON | Malware | [GRIFFON](https://attack.mitre.org/software/S0417) has used a reconnaissance module that can be used to retrieve Windows domain membership information... |
| S0552 | AdFind | Tool | [AdFind](https://attack.mitre.org/software/S0552) can enumerate domain groups.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: Fir... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can identify targets by querying account groups on a domain contoller.(Citation: Cobalt Strik... |
| S0184 | POWRUNER | Malware | [POWRUNER](https://attack.mitre.org/software/S0184) may collect domain group information by running <code>net group /domain</code> or a series of othe... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can determine if a user on a compromised host has domain admin privileges.(Citation: Microsoft Bla... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can run PowerShell cmdlets to discover domain groups.(Citation: Cisco Talos Qilin Ransomware OCT 2025... |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) can use `net group` for discovery on targeted domains.(Citation: Trend Micro Black Basta Oct... |
| S9035 | LAMEHUG | Malware | [LAMEHUG](https://attack.mitre.org/software/S9035) can use [dsquery](https://attack.mitre.org/software/S0105) to gather domain group information.(Cita... |
| S0516 | SoreFang | Malware | [SoreFang](https://attack.mitre.org/software/S0516) can enumerate domain groups by executing <code>net.exe group /domain</code>.(Citation: CISA SoreFa... |
| S0165 | OSInfo | Malware | [OSInfo](https://attack.mitre.org/software/S0165) specifically looks for Domain Admins and power users within the domain.(Citation: Symantec Buckeye) |
| S0514 | WellMess | Malware | [WellMess](https://attack.mitre.org/software/S0514) can identify domain group membership for the current user.(Citation: CISA WellMess July 2020) |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) can conduct Active Directory reconnaissance using tools such as Sharphound or [AdFind](https://atta... |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can use `net.exe group "domain admins" /domain` to identify Domain Administrators.(Citation: BitDe... |
| S0170 | Helminth | Malware | [Helminth](https://attack.mitre.org/software/S0170) has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands <c... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) can identify domain groups through `cmd.exe /c net group "Domain Admins" /domain`.(Citation: Bi... |
Frequently Asked Questions
What is T1069.002 (Domain Groups)?
T1069.002 is a MITRE ATT&CK technique named 'Domain Groups'. It belongs to the Discovery tactic(s). Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to...
How can T1069.002 be detected?
Detection of T1069.002 (Domain Groups) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1069.002?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1069.002?
Known threat groups using T1069.002 include: LAPSUS$, ToddyCat, Volt Typhoon, OilRig, Mustang Panda, FIN7, INC Ransom, Ke3chang.