T1069 Permission Groups Discovery Mappings

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1069 Permission Groups Discovery

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
identity_and_access_management Identity and Access Management technique_scores T1069 Permission Groups Discovery
Comments
Group permissions and settings are inherited using the IAM roles that are specifically granted to that group by admins. This control provides protection of possible adversaries that may determine which user accounts and groups memberships are available in cloud accounts. Received a score of Minimal because it only covers one of the sub-techniques.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1069.003 Cloud Groups 1
T1069.001 Local Groups 1