EXPLORE

← Back to Explore

T1069

Permission Groups Discovery

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: C...

ContainersIaaSIdentity ProviderLinuxmacOSOffice SuiteSaaSWindows

31

Detections

4

Sources

6

Threat Actors

BY SOURCE

19elastic7kql3sigma2splunk_escu

PROCEDURES (24)

Azure3 detections

Auto-extracted: 3 detections for azure

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Privilege2 detections

Auto-extracted: 2 detections for privilege

Command Line Monitoring2 detections

Auto-extracted: 2 detections for command line monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Azure1 detections

Auto-extracted: 1 detections for azure

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Powershell1 detections

Auto-extracted: 1 detections for powershell

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

THREAT ACTORS (6)

APT3 APT41 FIN13 Scattered Spider TA505 Volt Typhoon

DETECTIONS (31)

Active Directory Discovery using AdExplorer

AdFind Command Activity

AWS IAM Principal Enumeration via UpdateAssumeRolePolicy

AzureHound Detection

AzureHound Detection

Cloud Discovery Performed by User At Risk

Detect net(1).exe Discovery Activities

Direct Interactive Kubernetes API Request by Unusual Utilities

Entra ID Sign-in BloodHound Suite User-Agent Detected

Entra ID Sign-in TeamFiltration User-Agent Detected

Enumeration of Administrator Accounts

Enumeration of Privileged Local Groups Membership

Enumeration of Users or Groups via Built-in Commands

Kubectl Permission Discovery

Kubernetes Direct API Request via Curl or Wget

Kubernetes Suspicious Self-Subject Review via Unusual User Agent

List net(1).exe discovery activities

Local Group Discovery

Malicious PowerShell Commandlets - PoshModule

Malicious PowerShell Commandlets - ProcessCreation

Malicious PowerShell Commandlets - ScriptBlock

Operation download all users in Azure Active directory performed

Potential Enumeration via Active Directory Web Service

PowerShell Suspicious Discovery Related Windows API Functions

Sudo Command Enumeration Detected

Suspicious Access to LDAP Attributes

Unusual Group Name Accessed by a User

Unusual User Privilege Enumeration via id

Whoami Process Activity

Windows Post Exploitation Risk Behavior

Windows PowerView AD Access Control List Enumeration