AN0317: Analytic 0317
Detects attempts to enumerate local groups via Net.exe, PowerShell, or native API calls that precede lateral movement or privilege abuse.
Analyst context for executives and security teams
This analytic matters because local group enumeration on Windows is often a decision point before an intruder attempts lateral movement or privilege abuse. For leaders, the practical question is whether the organization can see when accounts, scripts, or tools are querying local administrator and other local group membership across endpoints, because that visibility can shorten investigations and help validate whether privilege boundaries are being mapped before misuse.
Executive priority
Prioritize this as a Windows endpoint and identity-risk visibility check. It supports incident decision-making by helping teams distinguish routine administration from suspicious discovery that may precede broader access. It is also useful audit evidence for whether SOC and IR teams can observe privilege-enumeration behavior rather than relying only on later-stage alerts.
Technical view
Validate detection for Windows-based local group enumeration using Net.exe, PowerShell, and native API call activity where telemetry allows. Because ATT&CK provides no official detection logic for this analytic, teams should confirm their own command-line, PowerShell, process, and relevant endpoint telemetry can identify local group enumeration patterns and correlate them with user context, host role, frequency, and subsequent access attempts.
Likely telemetry
- Windows process creation events with command-line arguments
- PowerShell execution and script block or module logging where enabled
- Endpoint detection telemetry for native API-driven local group queries
- User, host, and parent-process context
- Time-series activity showing enumeration across one or more Windows systems
Detection direction
- Test visibility for Net.exe and PowerShell-based local group enumeration on Windows endpoints.
- Tune for administrative baselines, including helpdesk scripts, endpoint management tooling, and legitimate inventory activity.
- Prioritize alerts when enumeration is unusual for the user, occurs on sensitive systems, or is followed by authentication, remote access, or privilege-related activity.
- Account for a blind spot where native API calls may not produce obvious command-line evidence unless endpoint telemetry captures API or behavioral activity.
- Document that ATT&CK does not provide official detection logic for AN0317, so local validation is required.
Mitigation priorities
- Establish and review baseline administrative group-enumeration activity on Windows systems.
- Limit unnecessary local administrator membership and regularly review local group assignments.
- Ensure PowerShell and endpoint logging policies support investigation of group enumeration activity.
- Use least-privilege administration and separate privileged accounts to reduce the value of discovered group membership.
- In incident response playbooks, treat suspicious local group enumeration as a prompt to investigate possible lateral movement preparation or privilege abuse.
Analyst notes and limits
AN0317 is a detection analytic for Windows local group enumeration via Net.exe, PowerShell, or native API calls. No ATT&CK tactics, relationships, or official detection content were supplied, so this take focuses on defensive validation and operational decision value rather than specific rule syntax.
The source object is sparse: it provides the platform, high-level behavior, and external reference only. There is no official detection logic, no relationship context, and no supplied evidence of exploitation, attribution, or coverage. Local environment baselines and telemetry availability determine practical detection quality.
Analytic 0317
Detects attempts to enumerate local groups via Net.exe, PowerShell, or native API calls that precede lateral movement or privilege abuse.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 91d9482a4de1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0317Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.