Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0114: Behavioral Detection of Local Group Enumeration Across OS Platforms

DET0114 is a MITRE ATT&CK detection strategy for identifying behavior associated with local group enumeration, which maps to T1069.001 Local Groups. In bus...

EnterpriseDET0114Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0114 is a MITRE ATT&CK detection strategy for identifying behavior associated with local group enumeration, which maps to T1069.001 Local Groups. In business terms, this matters because discovery of local groups can help an intruder understand where elevated privileges may exist before attempting privilege escalation, lateral movement, or broader account targeting. The supplied ATT&CK record is sparse, so the value for leaders is to verify whether SOC and endpoint monitoring can reliably see local group and permission discovery activity across the operating systems in scope for T1069.001: Linux, macOS, and Windows.

Executive priority

Treat this as a readiness check for identity and endpoint visibility rather than a standalone risk. Security leaders should ask whether local administrator and privileged local group membership is governed, whether endpoint telemetry can show group-enumeration behavior, and whether incident responders can quickly determine if discovery activity preceded privilege abuse. This supports resilience, audit evidence around privileged access oversight, and prioritization of endpoint and identity monitoring controls.

Technical view

The object has no official detection text and no platforms listed on the detection-strategy object itself. The relationship states that it detects T1069.001 Local Groups, a Discovery technique affecting Linux, macOS, and Windows. SOC and detection teams should validate telemetry and analytics for behavioral signs of local group and permission enumeration, especially activity that identifies local administrators or other elevated local groups. Detection engineering should avoid relying only on one command name or one operating system pattern; the ATT&CK relationship indicates the underlying behavior is cross-platform for the related technique.

Likely telemetry

  • Endpoint process execution telemetry for commands or utilities that enumerate local groups and group membership
  • Command-line arguments where available
  • Operating system audit logs related to local users, groups, and permission queries
  • EDR or host activity records showing discovery behavior on Linux, macOS, and Windows systems in scope for T1069.001
  • Identity and endpoint inventory data showing expected local administrator or privileged local group membership

Detection direction

  • Validate that analytics are mapped to T1069.001 Local Groups and tested against local group enumeration behavior, not only generic discovery alerts.
  • Tune for context: administrative scripts, IT support tools, endpoint management activity, and compliance scans may legitimately query local groups and can create false positives.
  • Prioritize unusual enumeration by non-administrative users, unexpected parent processes, newly observed hosts, or activity occurring near other discovery behavior, while confirming those correlations with local telemetry.
  • Check blind spots where command-line logging, endpoint audit policy, or EDR coverage is incomplete across Linux, macOS, and Windows assets.
  • Because the official detection field is not provided, maintain local detection logic, test cases, and evidence requirements rather than assuming MITRE supplies a complete analytic.

Mitigation priorities

  • Maintain accurate inventory and governance of local privileged groups, especially local administrators or equivalent elevated groups.
  • Limit unnecessary local administrative membership and review exceptions through privileged access management processes.
  • Ensure endpoint logging and EDR collection are enabled consistently across operating systems relevant to T1069.001.
  • Document detection logic, expected administrative enumeration sources, and triage procedures as compliance and incident-readiness evidence.
  • Use findings from alerts or hunts to improve identity hygiene and local privilege management rather than treating enumeration as an isolated event.
Analyst notes and limits

The supplied object is a detection strategy, external ID DET0114, named Behavioral Detection of Local Group Enumeration Across OS Platforms. It detects T1069.001 Local Groups. The related ATT&CK description states adversaries may identify local system groups and permission settings to determine which groups exist and which users may have elevated permissions. No official DET0114 description or detection text was supplied, so this take focuses on defensive validation and telemetry requirements derived from the relationship context.

The ATT&CK detection-strategy object does not specify platforms, tactics, aliases, labels, description, or official detection content. Platform references come only from the related T1069.001 technique context. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage; local environment telemetry and control configuration are required to determine actual coverage.

Official MITRE ATT&CK definition

Behavioral Detection of Local Group Enumeration Across OS Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1069.001 Local Groups Sub-technique This object detects Local Groups.
Relationship explorer

All related ATT&CK context

detects · Technique T1069.001: Local Groups Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f11b62e008ef2536...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f11b62e008ef…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0114
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use