AN0507: Analytic 0507
Detection of adversary enumeration of domain or local group memberships via native tools such as net.exe, PowerShell, or WMI. This activity may precede lateral movement or privilege escalation.
Analyst context for executives and security teams
This analytic concerns Windows activity where an adversary enumerates local or domain group memberships using native tools such as net.exe, PowerShell, or WMI. For leaders, the significance is not the command itself but what it often enables: understanding who has access, which groups are privileged, and where lateral movement or privilege escalation may be possible. Because the supplied ATT&CK object has no detection logic or relationship context, teams should treat this as a coverage-validation topic rather than a ready-made alert.
Executive priority
Prioritize this behavior as an identity and incident-readiness control point. Security leaders should ask whether the organization can reliably see group membership discovery on Windows systems, especially when it occurs near sensitive hosts or privileged accounts. This supports better SOC triage, incident scoping, access governance evidence, and decisions about where identity hardening or privileged access controls need investment.
Technical view
SOC and detection teams should validate Windows visibility for native group-enumeration activity involving net.exe, PowerShell, and WMI. Since ATT&CK provides no official detection logic for AN0507, detection engineering should focus on locally baselining legitimate administrative activity, identifying unusual users, hosts, timing, or command patterns, and correlating enumeration with other suspicious activity that may indicate preparation for lateral movement or privilege escalation. IR teams should treat confirmed suspicious enumeration as a cue to review account context, group membership exposure, recent authentication activity, and affected host roles.
Likely telemetry
- Windows process creation telemetry, including command-line arguments for net.exe and PowerShell
- PowerShell logging where enabled, such as script block or module-level evidence
- WMI activity telemetry from Windows hosts
- Endpoint detection and response process and parent-child process context
- Windows security logs and authentication context around the user and host performing enumeration
Detection direction
- Confirm whether Windows endpoints collect process command lines for native administrative tools used to enumerate local or domain groups.
- Baseline expected administrative, helpdesk, identity-management, and software-management activity to reduce false positives.
- Tune for unusual combinations of user, host, time, parent process, or target group context rather than treating all group enumeration as malicious.
- Correlate enumeration with follow-on suspicious authentication, remote execution, privilege use, or lateral movement indicators where available.
- Account for blind spots where PowerShell logging, WMI telemetry, or command-line capture is disabled or inconsistently deployed.
Mitigation priorities
- Reduce unnecessary exposure of privileged group membership and keep group structures aligned to least privilege.
- Restrict and monitor administrative access to Windows systems and identity infrastructure.
- Harden PowerShell and WMI monitoring configurations where operationally appropriate.
- Maintain endpoint and Windows logging coverage sufficient to support incident reconstruction.
- Use privileged access management and access review processes to limit the value of group enumeration to an intruder.
Analyst notes and limits
AN0507 is a detection analytic object for Windows group membership enumeration using native tools. The object states this activity may precede lateral movement or privilege escalation, but it does not provide tactics, detection logic, procedures, relationships, or actor context. Glexia’s practical recommendation is to use it as a validation item for identity-aware Windows monitoring and SOC triage workflows.
This take is limited to the supplied ATT&CK fields and external reference. No official detection content, relationship context, active exploitation evidence, attribution, or non-Windows platform support was provided. Local baselines and environment-specific logging determine whether this behavior can be detected reliably.
Analytic 0507
Detection of adversary enumeration of domain or local group memberships via native tools such as net.exe, PowerShell, or WMI. This activity may precede lateral movement or privilege escalation.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9067daab3055… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0507Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.