A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights[1]
Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:
aws iam list-groups
Get-ADGroup -Filter *
Get-AzureADGroup
GET https://graph.microsoft.com/v1.0/groups
Data Collection Measures:
Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:
aws iam list-groups
Get-ADGroup -Filter *
Get-AzureADGroup
GET https://graph.microsoft.com/v1.0/groups
Data Collection Measures:
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
.002 | Account Discovery: Domain Account |
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
||
Enterprise | T1069 | Permission Groups Discovery |
Monitor for an extracted list of ACLs of available groups and/or their associated settings. |
|
.001 | Local Groups |
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
||
.002 | Domain Groups |
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. |
||
.003 | Cloud Groups |
Monitor for an extracted list of available groups and/or their associated setting |
Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:
Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
Get-AzureADGroup -ObjectId <GroupId>
GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
aws iam list-group-policies --group-name <group_name>
GET https://graph.microsoft.com/v1.0/groups/<id>
Data Collection Measures:
Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:
Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
Get-AzureADGroup -ObjectId <GroupId>
GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
aws iam list-group-policies --group-name <group_name>
GET https://graph.microsoft.com/v1.0/groups/<id>
Data Collection Measures:
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1069 | Permission Groups Discovery |
Monitor for contextual data about a group which describes group and activity around it. |
|
.003 | Cloud Groups |
Contextual data about a group which describes group and activity around it that may attempt to find cloud groups and permission settings. |
Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:
Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
aws iam update-group --group-name <GroupName> --new-path "/admin/"
PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
PATCH https://graph.microsoft.com/v1.0/groups/<groupId>
Data Collection Measures:
UpdateGroup
, AttachGroupPolicy
, RemoveUserFromGroup
.Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:
Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
aws iam update-group --group-name <GroupName> --new-path "/admin/"
PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
PATCH https://graph.microsoft.com/v1.0/groups/<groupId>
Data Collection Measures:
UpdateGroup
, AttachGroupPolicy
, RemoveUserFromGroup
.Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1098 | Account Manipulation |
Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. |
|
.002 | Additional Email Delegate Permissions |
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions (including memberships in privileged groups) being granted to compromised accounts. |