Permission Groups Discovery T1069

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Events covered

14 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 89 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (49 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine35contains 23, regex_match 8, in 4, match 1(?i)\s+(localgroup|group(s?)\s+.*doma)|Get-AD(PrincipalGr..., group, group, oudmp , (?i)(objectcategory|trustdmp|member\s(.*)?-list)
process_name25eq 18, match 3, ends_with 2, wildcard 2powershell.exe, wmic.exe, (?i)ipconfig.exe, (?i)net1?.exe, (?i)nltest.exe
EventID23eq 234104, 4103, 4688, 1, 4799
OriginalFileName18eq 18net1.exe, net.exe, adexp, wmic.exe, adfind.exe
ScriptBlockText15contains 14, in 2, eq 1get-wmiobject, (objectcategory=group), *[adsisearcher]*, *account operators*, *dns admins*
Image11ends_with 10, contains 1\adexp.exe, \adexplorer.exe, \adexplorer64.exe, \net.exe, \net1.exe
Type7eq 7
event.type6eq 6start
Payload5contains 5-f , -pr , add-exfiltration, add-persistence, add-regbackdoor
Description4contains 2, eq 2Active Directory Editor, reports effective permissions, sharphound
ObjectType4eq 3, contains 1SAM_GROUP, SAM_USER, SAM_ALIAS, {bf967a9c-0de6-11d0-a285-00aa003049e2}
Product4eq 2, contains 1, ends_with 1Sysinternals ADExplorer, AccessChk, sharphound
SubjectUserName4ends_with 4$
event_count4gt 40
file_name4in 3, eq 1*-azapplicationadmins.json, *-azcloudappadmins.json, *-azglobaladminrights.json, *.bat, *.cmd

Top indicator values (1103 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4104
14268
EventIDeq
4103
5105
EventIDeq
4688
5312
EventIDeq
1
3232
OriginalFileNameeq
net1.exe
643
OriginalFileNameeq
net.exe
427
OriginalFileNameeq
adexp
33
OriginalFileNameeq
wmic.exe
361
event.typeeq
start
6241
process_nameeq
net1.exe
534
process_nameeq
powershell.exe
599
process_nameeq
wmic.exe
444
process_nameeq
cmd.exe
375
process_nameeq
dsquery.exe
312
process_nameeq
net.exe
320
CommandLinecontains
group
46
CommandLinecontains
group
22
SubjectUserNameends_with
$
437
event_countgt
0
44
CommandLineregex_match
(?i)\s+(localgroup|group(s?)\s+.*doma)|Get-AD(PrincipalGroupMembership|Group)...
33
Imageends_with
\adexp.exe
33
Imageends_with
\adexplorer.exe
36
Imageends_with
\adexplorer64.exe
36
Imageends_with
\adexplorer64a.exe
34
ObjectNamestarts_with
S-1-5-21-
34
process.argseq
group
33
process_namematch
(?i)ipconfig.exe
33
process_namematch
(?i)net1?.exe
33
process_namematch
(?i)nltest.exe
33
process_namematch
(?i)systeminfo.exe
33

Exclusions (33 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
SubjectUserNameends_with
$
4
user.ideq
S-1-5-18
2
CommandLinecontains
add
1
CommandLineends_with
/add
1
CommandLineends_with
/delete
1
Imageends_with
\adfind.exe
1
Imageends_with
\svchost.exe
1
Imagewildcard
?:\program files\microsoft monitoring agent\*.exe
1
Imagewildcard
?:\program files\powershell\?\pwsh.exe
1
Imagewildcard
?:\windows\adws\microsoft.activedirectory.webservices.exe
1
Imagewildcard
?:\windows\system32\dsac.exe
1
Imagewildcard
?:\windows\system32\windowspowershell\*.exe
1
Imagewildcard
?:\windows\syswow64\windowspowershell\*.exe
1
ParentImageeq
?:\program files (x86)\citrix\workspace environment management...
1
ParentImageeq
?:\program files (x86)\lansweeper\service\lansweeperservice.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 30 rules

Elastic 8 rules

Splunk 48 rules

Kusto 2 rules

YARA-L 1 rule