Permission Groups Discovery T1069
Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
Events covered
14 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 3 | Network connection |
| Sysmon | Event ID 7 | Image loaded |
| Sysmon | Event ID 11 | FileCreate |
| Security-Auditing | Event ID 4661 | A handle to an object was requested. |
| Security-Auditing | Event ID 4662 | An operation was performed on an object. |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Security-Auditing | Event ID 4799 | A security-enabled local group membership was enumerated. |
| Defender-DeviceEvents | LdapSearch | LDAP search |
| Defender-DeviceProcessEvents | any | Process activity (any) |
| LDAP-Client | Event ID 30 | LDAP search request |
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
| PowerShell | Event ID 800 | Event ID 800 |
Authoring guide
Patterns shared across the 89 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (49 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1103 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (33 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 30 rules
- Active Directory Database Snapshot Via ADExplorer
- Active Directory Group Enumeration With Get-AdGroup
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- ADExplorer Writing Complete AD Snapshot Into .dat File
- BloodHound Collection Files
- Domain group enumeration
- Group discovery (command)
- Group discovery (PowerShell)
- HackTool - Bloodhound/Sharphound Execution
- HackTool - SharpView Execution
- Local domain group enumeration
- Local group enumeration triggered by Azure Virtual machine recovery tool
- Local Groups Reconnaissance Via Wmic.EXE
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- Net.EXE Execution
- Permission Check Via Accesschk.EXE
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- PUA - AdFind Suspicious Execution
- Reconnaissance Activity
- Remote local admin group enumeration via SharpHound
- Renamed AdFind Execution
- Sensitive SAM domain user & groups discovery (native)
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Suspicious Get Information for SMB Share
- Suspicious Get Information for SMB Share - PowerShell Module
- Suspicious Get Local Groups Information
- Suspicious Get Local Groups Information - PowerShell
Elastic 8 rules
- Active Directory Discovery using AdExplorer
- AdFind Command Activity
- Enumeration of Administrator Accounts
- Potential Enumeration via Active Directory Web Service
- Remote System Discovery Commands
- Suspicious Access to LDAP Attributes
- Whoami Process Activity
- Windows Account or Group Discovery
Splunk 48 rules
- Adfind Commands (PowerShell)
- Adfind Commands (Sysmon)
- Adfind Commands (Windows Event Log)
- Adfind Execution (EDR)
- Adfind Execution (PowerShell)
- Adfind Execution (Sysmon)
- Adfind Execution (Windows Event Log)
- Detect AzureHound Command-Line Arguments
- Detect AzureHound File Modifications
- Detect SharpHound Command-Line Arguments
- Detect SharpHound File Modifications
- Detect SharpHound Usage
- Domain Group Discovery with Adsisearcher
- Domain Group Discovery With Dsquery
- Domain Group Discovery With Wmic
- Elevated Group Discovery with PowerView
- Elevated Group Discovery With Wmic
- Get WMIObject Group Discovery
- Get WMIObject Group Discovery with Script Block Logging
- GetAdGroup with PowerShell
- GetAdGroup with PowerShell Script Block
- GetDomainGroup with PowerShell
- GetDomainGroup with PowerShell Script Block
- GetWmiObject Ds Group with PowerShell
- GetWmiObject Ds Group with PowerShell Script Block
- IcedID Discovery Commands (EDR)
- IcedID Discovery Commands (Sysmon)
- IcedID Discovery Commands (Windows Event Log)
- Network Traffic to Active Directory Web Services Protocol
- Permission Groups Discovery: Domain Groups (PowerShell)
- Permission Groups Discovery: Domain Groups (Sysmon)
- Permission Groups Discovery: Domain Groups (Windows Event Log)
- Permission Groups Discovery: Local Groups (PowerShell)
- Permission Groups Discovery: Local Groups (Sysmon)
- Permission Groups Discovery: Local Groups (Windows Event Log)
- PowerShell Get LocalGroup Discovery
- Powershell Get LocalGroup Discovery with Script Block Logging
- PowerView_SharpView Commands (PowerShell)
- SharpHound Enumeration (Windows Event Log)
- SharpHound Keywords (PowerShell)
- Windows Admin Permission Discovery
- Windows Azure PowerShell Module Installation Via PowerShell Script
- Windows Group Discovery Via Net
- Windows Ldifde Directory Object Behavior
- Windows PowerView AD Access Control List Enumeration
- Windows Sensitive Group Discovery With Net
- Windows SOAPHound Binary Execution
- Wmic Group Discovery