Home >
Enterprise >
Participants >
CyCraft >
Permission Groups Discovery (T1069)
|
|
See technique results for:
Carbanak+FIN7 |
||
The technique was not in scope. |
APT29 |
||||
Step | ATT&CK Pattern |
|
||
4.C.9
|
|
|||
4.C.11
|
|
Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.

