detection.wiki

ATT&CK coverage › Technique

Permission Groups Discovery: Local Groups T1069.001

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon11FileCreate
Security-Auditing4688A new process has been created.
PowerShell4103Payload Context: ContextInfo User Data: UserData.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 19 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (15 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
ScriptBlockText6match 4, eq 2DoesNotRequirePreAuth, get-ADPrincipalGroupMembership, -f , Invoke-SauronEye, Get-FoxDump
Payload4match 4DoesNotRequirePreAuth, get-ADPrincipalGroupMembership, -f , Get-MachineAccountCreator, Invoke-SauronEye
Image4ends_with 3, match 1\svchost.exe, \SharpHound.exe, \Bloodhound.exe, \wmic.exe, \accesschk64.exe
CommandLine4match 4 --Loop --Loopduration , -ZipFileName , --NoSaveCache , group, Get-MachineAccountCreator
ContextInfo3match 3DoesNotRequirePreAuth, get-ADPrincipalGroupMembership, -f , get-smbshare, get-localgroupmember
file_name3in 3"*-azapplicationadmins.json", "*-azcloudappadmins.json", "*-azurecollection.zip", "*_groups.json", "*_users.json"
Product2match 1, ends_with 1SharpHound, AccessChk
Description2match 2SharpHound, Reports effective permissions
OriginalFileName2eq 2wmic.exe, accesschk.exe
EventID2eq 24104
TargetFilename1ends_with 1, starts_with 1_computers.json, _ous.json, C:\Program Files\WindowsApps\Microsoft.
Company1match 1evil corp, SpecterOps
DestinationPort1eq 19389
dropped_file_path_split_count1eq 12
root_drive1like 1"C:"

Top indicator values (680 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq41042108
ContextInfomatchget-aduser1
Payloadmatchget-aduser1
ContextInfomatch-f 1
ContextInfomatchDoesNotRequirePreAuth1
PayloadmatchDoesNotRequirePreAuth1
ContextInfomatch-pr 1
Payloadmatch-f 1
ContextInfomatchget-ADPrincipalGroupMembership1
Payloadmatch-pr 1
Payloadmatchget-ADPrincipalGroupMembership1
ScriptBlockTextmatchDoesNotRequirePreAuth1
ScriptBlockTextmatch-f 1
ScriptBlockTextmatch-pr 1
ScriptBlockTextmatchget-ADPrincipalGroupMembership1
ScriptBlockTextmatchget-aduser1
TargetFilenamestarts_withC:\Program Files\WindowsApps\Microsoft.1
Imageends_with\svchost.exe120
TargetFilenameends_with\pocket_containers.json1
TargetFilenameends_with_gpos.json1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 13 rules

Splunk 6 rules