Skip to main content

Overview

The LocalGroups command enumerates local group memberships on the system. By default, it shows only non-empty groups, but the -full flag displays all local groups. This is crucial for understanding privilege levels and access controls.

Syntax

# Show non-empty groups only
Seatbelt.exe LocalGroups

# Show all groups
Seatbelt.exe LocalGroups -full

# Enumerate remote computer
Seatbelt.exe "LocalGroups <computername>"

Remote Execution

Seatbelt.exe LocalGroups -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns local group information:
  • Group name
  • Group members (users and groups)
  • Member types (local, domain)
  • SID information

Use Cases

  • Red Team
  • Blue Team
  • Identify privileged users (Administrators, Remote Desktop Users)
  • Find domain users in local admin groups
  • Discover service accounts
  • Plan privilege escalation paths
  • Identify lateral movement targets

Example Output

====== LocalGroups ======

[*] Non-empty Local Groups (use -full to display all groups)

Administrators
  WORKSTATION01\Administrator
  CORP\Domain Admins
  CORP\Workstation Admins
  CORP\john.doe

Remote Desktop Users
  CORP\IT Support
  CORP\help.desk

Users
  NT AUTHORITY\INTERACTIVE
  NT AUTHORITY\Authenticated Users

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Group enumeration is common reconnaissance activity.
  • API Calls: Uses NetLocalGroupEnum/NetLocalGroupGetMembers
  • WMI Activity: Remote execution generates WMI events
  • Network Traffic: Remote queries over SMB/RPC
  • Event Logs: May trigger 4799 (local group membership enumerated)