EXPLORE
← Back to Explore
T1069

Permission Groups Discovery

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: C...

ContainersIaaSIdentity ProviderLinuxmacOSOffice SuiteSaaSWindows
35
Detections
4
Sources
6
Threat Actors

BY SOURCE

23elastic7kql3sigma2splunk_escu

PROCEDURES (26)

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Azure2 detections

Auto-extracted: 2 detections for azure

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Command Line Monitoring2 detections

Auto-extracted: 2 detections for command line monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Privilege2 detections

Auto-extracted: 2 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Powershell1 detections

Auto-extracted: 1 detections for powershell

Azure1 detections

Auto-extracted: 1 detections for azure

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Cloud1 detections

Auto-extracted: 1 detections for cloud

Token1 detections

Auto-extracted: 1 detections for token

Credential1 detections

Auto-extracted: 1 detections for credential

Cloud1 detections

Auto-extracted: 1 detections for cloud

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Credential1 detections

Auto-extracted: 1 detections for credential

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Api1 detections

Auto-extracted: 1 detections for api

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

DETECTIONS (35)

Active Directory Discovery using AdExplorer
elasticlow
AdFind Command Activity
elasticlow
AWS IAM Principal Enumeration via UpdateAssumeRolePolicy
elasticmedium
Azure AD Graph Access with Suspicious User-Agent
elastichigh
Azure AD Graph Potential Enumeration (ROADrecon)
elastichigh
AzureHound Detection
kql
AzureHound Detection
kql
Cloud Discovery Performed by User At Risk
kql
Detect net(1).exe Discovery Activities
kql
Direct Interactive Kubernetes API Request by Unusual Utilities
elasticlow
Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration
elastichigh
Entra ID Sign-in BloodHound Suite User-Agent Detected
elastichigh
Entra ID Sign-in TeamFiltration User-Agent Detected
elastichigh
Enumeration of Administrator Accounts
elasticlow
Enumeration of Privileged Local Groups Membership
elasticmedium
Enumeration of Users or Groups via Built-in Commands
elasticlow
GKE Suspicious Self-Subject Review via Service Account
elasticlow
Kubectl Permission Discovery
elasticmedium
Kubernetes Direct API Request via Curl or Wget
elasticmedium
Kubernetes Suspicious Self-Subject Review via Unusual User Agent
elasticlow
List net(1).exe discovery activities
kql
Local Group Discovery
kql
Malicious PowerShell Commandlets - PoshModule
sigmahigh
Malicious PowerShell Commandlets - ProcessCreation
sigmahigh
Malicious PowerShell Commandlets - ScriptBlock
sigmahigh
Operation download all users in Azure Active directory performed
kql
Potential Enumeration via Active Directory Web Service
elasticmedium
PowerShell Suspicious Discovery Related Windows API Functions
elasticlow
Sudo Command Enumeration Detected
elasticlow
Suspicious Access to LDAP Attributes
elasticlow
Unusual Group Name Accessed by a User
elasticlow
Unusual User Privilege Enumeration via id
elasticmedium
Whoami Process Activity
elasticlow
Windows Post Exploitation Risk Behavior
splunk_escu
Windows PowerView AD Access Control List Enumeration
splunk_escu