T1069 — Permission Groups Discovery

Technique

T1069

Tactics

Discovery

MISP citations

0

KEV CVEs mapped

1

Community rules

3

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1069

MITRE description

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions. Adversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-44515

Detection coverage

SigmaHQ community rules

• Malicious PowerShell Commandlets - PoshModule (core)
• Malicious PowerShell Commandlets - ScriptBlock (core)
• Malicious PowerShell Commandlets - ProcessCreation (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.