ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Group Metadata

Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:

Active Directory: Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
Azure AD: Get-AzureADGroup -ObjectId <GroupId>
Google Workspace: GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
AWS IAM: aws iam list-group-policies --group-name <group_name>
Office 365: GET https://graph.microsoft.com/v1.0/groups/<id>

Data Collection Measures:

Cloud Logging:
- AWS CloudTrail for IAM group-related activities.
- Azure AD Sign-In/Audit logs for metadata changes.
- Google Admin Activity logs for API calls.
Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
SIEM Integration: Centralize group metadata logs for analysis.

ID: DC0105

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
m365:sharepoint	Enumerate ACLs/role bindings

Detection Strategy

ID	Name	Technique Detected
DET0251	Behavioral Detection of Cloud Group Enumeration via API and CLI Access	T1069.003