MITRE ATT&CK Technique
Discovery T1069.001
Description

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-03-12T19:29:21.013Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may attempt to find local system groups and '
                'permission settings. The knowledge of local system permission '
                'groups can help adversaries determine which groups exist and '
                'which users belong to a particular group. Adversaries may use '
                'this information to determine which users have elevated '
                'permissions, such as the users found within the local '
                'administrators group.\n'
                '\n'
                'Commands such as <code>net localgroup</code> of the '
                '[Net](https://attack.mitre.org/software/S0039) utility, '
                '<code>dscl . -list /Groups</code> on macOS, and '
                '<code>groups</code> on Linux can list local groups.',
 'external_references': [{'external_id': 'T1069.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1069/001'}],
 'id': 'attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'discovery'}],
 'modified': '2025-10-24T17:49:10.014Z',
 'name': 'Local Groups',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Harshal Tupsamudre, Qualys',
                          'Miriam Wiesner, @miriamxyra, Microsoft Security'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (6)
OilRig
High
Turla
High
HEXANE
High
Volt Typhoon
High
Chimera
High
View All 6 Actors
Back to TTPs
Dashboard About