Adversaries may enumerate local system groups to identify potential privilege escalation opportunities or determine user permissions within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect reconnaissance activities that could lead to deeper system compromise.
Detection Rule
title: Local Groups Discovery - Linux
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: test
description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/groups'
selection_2:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
CommandLine|contains: '/etc/group'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
imProcessCreate
| where TargetProcessName endswith "/groups" or ((TargetProcessName endswith "/cat" or TargetProcessName endswith "/ed" or TargetProcessName endswith "/head" or TargetProcessName endswith "/less" or TargetProcessName endswith "/more" or TargetProcessName endswith "/nano" or TargetProcessName endswith "/tail" or TargetProcessName endswith "/vi" or TargetProcessName endswith "/vim") and TargetProcessCommandLine contains "/etc/group")Scenario: System Administrator Enumerating Groups for Troubleshooting
Description: A system admin is using getent group to investigate group membership issues or verify group configurations.
Filter/Exclusion: Check for presence of getent group in the command line and filter out processes with uid=0 or user=root.
Scenario: Scheduled Job Running Group Enumeration for Compliance
Description: A scheduled job (e.g., via cron or systemd) runs a script that enumerates local groups as part of a compliance check or audit.
Filter/Exclusion: Filter out processes associated with known compliance tools (e.g., auditd, logrotate) or check for scheduled job identifiers in the process name or command line.
Scenario: Using groupadd to Create a New Group
Description: An admin is creating a new local group using the groupadd command, which may trigger group enumeration as part of the system’s internal process.
Filter/Exclusion: Filter out processes where the command line contains groupadd or check for uid=0 and command_line_contains_groupadd.
Scenario: Running id Command to Check User Group Membership
Description: A user or admin runs the id command to check their own group membership or verify their permissions.
Filter/Exclusion: Filter out processes where the command line contains id and exclude users with uid=0 or sudo in the command line.
Scenario: Group Enumeration via ldapsearch for LDAP Integration
Description: A system is using ldapsearch to query local groups as part of an LDAP synchronization or integration process.
Filter/Exclusion: Filter out processes that include ldapsearch in the command line and check for LDAP-related