Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Commands such as
net localgroup of the Net utility,
dscl . -list /Groups on macOS, and
groups on Linux can list local groups.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor for executed commands and arguments that may attempt to find local system groups and permission settings.
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
|DS0009||Process||OS API Execution||
Monitor for API calls associated with finding local system groups and permission settings, such as NetLocalGroupEnum.
Monitor newly executed processes that may attempt to find local system groups and permission settings.