Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0696: Analytic 0696

Identifies unauthorized access or enumeration of administrative roles, security groups, or distribution groups via Exchange/SharePoint/Teams APIs or role discovery scripts.

EnterpriseAN0696AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting unauthorized discovery of high-value Microsoft 365 collaboration and identity-adjacent structures: administrative roles, security groups, and distribution groups through Exchange, SharePoint, Teams APIs, or role discovery scripts. For leaders, the practical issue is not just enumeration itself; it can reveal who has privilege, which groups control access, and how communications or collaboration permissions are organized. That information can materially improve an intruder’s ability to plan follow-on actions, so organizations should treat visibility into this behavior as part of Office Suite monitoring readiness.

Executive priority

Prioritize this where Microsoft 365 / Office Suite services are business-critical or where privileged role governance, group ownership, and collaboration access are audit-sensitive. Executives should ask whether SOC and IR teams can prove they collect and review administrative-role and group-enumeration activity across Exchange, SharePoint, and Teams, and whether unusual API/script-based discovery would be investigated quickly. This is also useful compliance evidence for privileged access oversight and cloud collaboration monitoring.

Technical view

Validate monitoring for Exchange, SharePoint, and Teams API activity that queries or enumerates administrative roles, security groups, or distribution groups. Because the supplied ATT&CK object provides no official detection logic and no tactic mapping, detection teams should avoid assuming a single rule is sufficient. Focus on baselining expected administrative tooling, service accounts, helpdesk workflows, and governance scripts, then identify access patterns that are unauthorized, unusual for the actor, unusually broad, or inconsistent with approved administration.

Likely telemetry

  • Office Suite audit logs for Exchange, SharePoint, and Teams activity
  • API access records related to role, group, or distribution list discovery
  • Administrative role lookup and group membership enumeration events
  • Script execution or automation traces where available for role discovery scripts
  • Identity context for the requesting user, service principal, or automation account

Detection direction

  • Confirm that audit logging is enabled and retained for Exchange, SharePoint, and Teams administrative and API activity.
  • Baseline legitimate role and group discovery by administrators, helpdesk staff, governance tools, and approved automation.
  • Alert on unusual breadth, frequency, timing, source identity, or source location of role/group enumeration activity.
  • Correlate enumeration with identity risk context, recent authentication anomalies, privilege changes, or access from unfamiliar accounts.
  • Tune carefully for false positives from directory synchronization, compliance tooling, migration projects, and sanctioned administrative scripts.

Mitigation priorities

  • Maintain least-privilege access to administrative role and group discovery capabilities within Office Suite services.
  • Review who can enumerate sensitive administrative roles, security groups, and distribution groups, including service accounts and automation identities.
  • Require governance for administrative scripts and API-based management activity, including ownership, approval, and logging expectations.
  • Ensure Office Suite audit logs are retained long enough to support incident response and compliance evidence needs.
  • Periodically test SOC visibility by validating that authorized enumeration activity is observable and distinguishable from unexpected activity.
Analyst notes and limits

This Glexia take is based on the supplied MITRE analytic description for AN0696 only. The object identifies a detection analytic for unauthorized access or enumeration of administrative roles, security groups, or distribution groups via Exchange/SharePoint/Teams APIs or role discovery scripts. No relationships, tactic mapping, or official detection logic were supplied, so recommendations are framed as validation and monitoring direction rather than a definitive analytic implementation.

The source object does not provide detection pseudocode, data source mappings, tactic/technique relationships, threat actor context, or mitigation text. Local tenant configuration, audit licensing/retention, administrative workflows, and approved automation must be reviewed before determining coverage or severity.

Official MITRE ATT&CK definition

Analytic 0696

Identifies unauthorized access or enumeration of administrative roles, security groups, or distribution groups via Exchange/SharePoint/Teams APIs or role discovery scripts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a0f6155e737ca7c8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a0f6155e737c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0696
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use