Check out the results from our first round of ATT&CK Evaluations at!

Permission Groups Discovery

Adversaries may attempt to find local system or domain-level groups and permissions settings.


Examples of commands that can list groups are net group /domain and net localgroup using the Net utility.


On Mac, this same thing can be accomplished with the dscacheutil -q group for the domain, or dscl . -list /Groups for local groups.


On Linux, local groups can be enumerated with the groups command and domain groups via the ldapsearch command.

ID: T1069

Tactic: Discovery

Platform:  Linux, macOS, Windows

Permissions Required:  User

Data Sources:  API monitoring, Process monitoring, Process command-line parameters


Version: 1.0



admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download[1]


APT3 has a tool that can enumerate the permissions associated with Windows groups.[2]

Dragonfly 2.0

Dragonfly 2.0 used batch scripts to enumerate administrators in the environment.[3]


dsquery can be used to gather information on permission groups within a domain.[4]


Emissary has the capability to execute the command net localgroup administrators.[5]


Helminth has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.[6]


JPIN can obtain the victim user name.[7]


Kazuar gathers information about local groups and members.[8]


Ke3chang performs discovery of permission groups net group /domain.[9]


Kwampirs collects lists of local accounts with administrative access, local group user accounts, and domain local groups with the commands net localgroup administrators, net localgroup users, and net localgroup /domain.[10]


has the capability to retrieve information about groups.[11]


Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups.[12]


OilRig has used net group /domain, net localgroup administrators, net group "domain admins" /domain, and net group "Exchange Trusted Subsystem" /domain to find group permission settings on a victim.[13]


OSInfo specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally[2]


POWRUNER may collect permission group information by running net group /domain or a series of other commands on a victim.[14]


Sys10 collects the group name of the logged-in user and sends it to the C2.[15]


Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting [16] tools, like AppLocker, [17] [18] or Software Restriction Policies [19] where appropriate. [20]


System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.