DET0360: Behavioral Detection of Domain Group Discovery
DET0360 is a MITRE detection strategy for identifying behavior associated with discovery of domain groups. The business significance is that domain group e...
Analyst context for executives and security teams
DET0360 is a MITRE detection strategy for identifying behavior associated with discovery of domain groups. The business significance is that domain group enumeration can help an intruder understand privileged roles and choose higher-value accounts or paths for follow-on activity. Even though this ATT&CK detection strategy has no official description or detection logic provided, its relationship to Domain Groups (T1069.002) makes it relevant for validating whether identity and directory discovery is visible to the SOC.
Executive priority
Prioritize this as an identity visibility and incident-readiness question: can the organization prove when users, hosts, or processes are querying domain-level groups and membership, especially privileged groups? For leaders, the value is not a single alert but assurance that directory reconnaissance against groups such as administrative or high-privilege roles can be investigated quickly, supported by retained logs, and explained as compliance or incident evidence.
Technical view
The supplied object contains no official detection text and no platforms of its own. Its only relationship is that it detects T1069.002 Domain Groups, a Discovery technique associated with Linux, macOS, and Windows. SOC and detection engineering teams should therefore validate coverage around domain group and membership enumeration behavior rather than rely on DET0360 as a complete analytic. Focus on whether directory queries, command execution, process context, account context, source host, and queried group names can be correlated to distinguish routine administration from suspicious discovery activity.
Likely telemetry
- Directory service or identity provider logs showing group and membership queries
- Endpoint process execution telemetry for commands or tools used to enumerate groups
- Authentication and account context for the user or service account performing the query
- Host and network context identifying the source system performing directory discovery
- Administrative audit logs for privileged group membership lookups where available
Detection direction
- Validate that monitoring covers domain-level group enumeration and membership lookups, not only changes to groups.
- Tune detections around unusual users, unusual hosts, high query volume, or access to privileged group information while accounting for normal IT administration, inventory, identity governance, and help desk workflows.
- Correlate group discovery with other discovery, credential access, or privilege escalation signals before escalating severity where possible.
- Check blind spots created by limited endpoint logging, missing directory audit events, unmanaged systems, or short log-retention windows.
- Because the ATT&CK object provides no official analytic logic, require local baselining and testing before treating this as reliable detection coverage.
Mitigation priorities
- Ensure directory and endpoint logging needed for group discovery investigations is enabled and retained.
- Review access to sensitive group membership information and limit unnecessary visibility where business processes allow.
- Maintain clear ownership and documentation for privileged groups so suspicious enumeration can be triaged quickly.
- Establish SOC runbooks for group discovery alerts, including expected administrative sources and escalation criteria.
- Use incident response exercises to confirm analysts can reconstruct who queried which groups, from where, and in what surrounding activity context.
Analyst notes and limits
This take is based on DET0360 and its relationship to T1069.002 Domain Groups. MITRE did not provide an official description, detection text, tactics, or platforms on the detection-strategy object itself. The related technique supplies the Discovery context and Linux, macOS, and Windows platform scope.
Coverage decisions require local evidence: directory architecture, logging configuration, endpoint telemetry, identity provider capabilities, normal administrative workflows, and retention requirements. This summary does not assert active exploitation, attribution, guaranteed detection, or customer exposure.
Behavioral Detection of Domain Group Discovery
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1069.002 | Domain Groups Sub-technique | This object detects Domain Groups. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7a7c8224f7a7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0360Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.