T1069: Permission Groups Discovery

Data from MITRE ATT&CK®:

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Group Metadata (Group)

Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group

Group Enumeration (Group)

An extracted list of available groups and/or their associated settings (ex: AWS list-groups)

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Malicious PowerShell Commandlets - ScriptBlock

windows ps script

Malicious PowerShell Commandlets - ProcessCreation

windows process creation

Malicious PowerShell Commandlets - PoshModule

windows ps module