Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.
Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1069 | Permission Groups Discovery |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Permissions Group Discovery attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
Permissions Group Discovery techniques involve attackers querying and discovering permissions associated with different user groups and system accounts. By identifying group memberships and associated permissions, adversaries can gain critical insight into the system's security configuration, which may help them target high-privilege accounts or escalate their access. These techniques are often used in the early stages of lateral movement, allowing attackers to plan and execute privilege escalation or data exfiltration strategies.
Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow at the hardware level. This telemetry helps security teams quickly detect abnormal behaviors, such as unauthorized attempts to query permissions groups or access sensitive system configurations. By continuously monitoring these low-level activities, Intel TDT can reveal attempts to map user groups or escalate privileges.
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1069 | Permission Groups Discovery |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), strengthens cybersecurity defenses by enabling faster, real-time detection of Permissions Group Discovery attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, while minimizing system performance impact.
Permissions Group Discovery techniques involve attackers querying and discovering permissions associated with different user groups and system accounts. By identifying group memberships and associated permissions, adversaries can gain critical insight into the system's security configuration, which may help them target high-privilege accounts or escalate their access. These techniques are often used in the early stages of lateral movement, allowing attackers to plan and execute privilege escalation or data exfiltration strategies.
Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow at the hardware level. This telemetry helps security teams quickly detect abnormal behaviors, such as unauthorized attempts to query permissions groups or access sensitive system configurations. By continuously monitoring these low-level activities, Intel TDT can reveal attempts to map user groups or escalate privileges.
References
|