Description
Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)
Platforms
Sub-Techniques (3)
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used <code>net group</code> commands to enumerate various Windows user groups and permissions.(Citation... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has enumerated the vSphere Admins and ESX Admins groups in targeted environments.(Citation: ... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used TinyMet to enumerate members of privileged groups.(Citation: IBM TA505 April 2020) [TA505](htt... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used commercial tools, LOTL utilities, and appliances already present on the system for grou... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can enumerate the permissions associated with Windows groups.(Citation: Symantec Buckeye... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has enumerated all users and roles from a victim's main treasury system.(Citation: Mandiant FIN13 Aug 2... |
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) has the ability to identify Workgroup membership.(Citation: IBM IcedID November 2017) |
| S0335 | Carbon | Malware | [Carbon](https://attack.mitre.org/software/S0335) uses the <code>net group</code> command.(Citation: GovCERT Carbon May 2016) |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) can identify the groups the user on a compromised host belongs to.(Citation: Cyberreason Anchor De... |
| S0233 | MURKYTOP | Malware | [MURKYTOP](https://attack.mitre.org/software/S0233) has the capability to retrieve information about groups.(Citation: FireEye Periscope March 2018) |
| S0445 | ShimRatReporter | Tool | [ShimRatReporter](https://attack.mitre.org/software/S0445) gathered the local privileges for the infected host.(Citation: FOX-IT May 2016 Mofang) |
| S0623 | Siloscape | Malware | [Siloscape](https://attack.mitre.org/software/S0623) checks for Kubernetes node permissions.(Citation: Unit 42 Siloscape Jun 2021) |
References
- Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021.
- Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.
Frequently Asked Questions
What is T1069 (Permission Groups Discovery)?
T1069 is a MITRE ATT&CK technique named 'Permission Groups Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular g...
How can T1069 be detected?
Detection of T1069 (Permission Groups Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1069?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1069?
Known threat groups using T1069 include: APT41, Scattered Spider, TA505, Volt Typhoon, APT3, FIN13.