EXPLORE

← Back to Explore

T1069

Permission Groups Discovery

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: C...

ContainersIaaSIdentity ProviderLinuxmacOSOffice SuiteSaaSWindows

24

Detections

3

Sources

6

Threat Actors

BY SOURCE

19elastic3sigma2splunk_escu

PROCEDURES (17)

Privilege3 detections

Auto-extracted: 3 detections for privilege

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Azure2 detections

Auto-extracted: 2 detections for azure

Powershell2 detections

Auto-extracted: 2 detections for powershell

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Service1 detections

Auto-extracted: 1 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Unusual1 detections

Auto-extracted: 1 detections for unusual

Credential1 detections

Auto-extracted: 1 detections for credential

Powershell1 detections

Auto-extracted: 1 detections for powershell

THREAT ACTORS (6)

APT3 APT41 FIN13 Scattered Spider TA505 Volt Typhoon

DETECTIONS (24)

Active Directory Discovery using AdExplorer

AdFind Command Activity

AWS IAM Principal Enumeration via UpdateAssumeRolePolicy

Direct Interactive Kubernetes API Request by Unusual Utilities

Entra ID Sign-in BloodHound Suite User-Agent Detected

Entra ID Sign-in TeamFiltration User-Agent Detected

Enumeration of Administrator Accounts

Enumeration of Privileged Local Groups Membership

Enumeration of Users or Groups via Built-in Commands

Kubectl Permission Discovery

Kubernetes Direct API Request via Curl or Wget

Kubernetes Suspicious Self-Subject Review via Unusual User Agent

Malicious PowerShell Commandlets - PoshModule

Malicious PowerShell Commandlets - ProcessCreation

Malicious PowerShell Commandlets - ScriptBlock

Potential Enumeration via Active Directory Web Service

PowerShell Suspicious Discovery Related Windows API Functions

Sudo Command Enumeration Detected

Suspicious Access to LDAP Attributes

Unusual Group Name Accessed by a User

Unusual User Privilege Enumeration via id

Whoami Process Activity

Windows Post Exploitation Risk Behavior

Windows PowerView AD Access Control List Enumeration