Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Commands such as
net localgroup of the Net utility,
dscl . -list /Groups on macOS, and
groups on Linux can list local groups.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor for executed commands and arguments that may attempt to find local system groups and permission settings.
Monitor newly executed processes that may attempt to find local system groups and permission settings.