Technique on mitre.org

T1069: Permission Groups Discovery

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

postgresql_database: PT-CR-1830: PostgreSQL_Users_Discovery: Execution of some SQL commands may indicate that information about the PostgreSQL database users is retrieved, which may indicate attacker activity postgresql_database: PT-CR-1829: PostgreSQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the PostgreSQL database, which may indicate attacker activity

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly constructed processes and/or command-lines for actions that could be taken to gather system and network information. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

ID	DS0036	Data source and component	Group: Group Metadata	Description	Monitor for contextual data about a group which describes group and activity around it.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for logging, messaging, and other artifacts provided by cloud services.

ID	DS0036	Data source and component	Group: Group Enumeration	Description	Monitor for an extracted list of ACLs of available groups and/or their associated settings.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor for newly constructed processes and/or command-lines for actions that could be taken to gather system and network information. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
DS0036	Group: Group Metadata	Monitor for contextual data about a group which describes group and activity around it.
DS0017	Command: Command Execution	Monitor executed commands and arguments acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
DS0015	Application Log: Application Log Content	Monitor for logging, messaging, and other artifacts provided by cloud services.
DS0036	Group: Group Enumeration	Monitor for an extracted list of ACLs of available groups and/or their associated settings.