Group

A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights[1]

ID: DS0036
Platforms: IaaS, Identity Provider, Office Suite, SaaS, Windows
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 16 April 2025

Data Components

Group: Group Enumeration

Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:

  • AWS CLI: aws iam list-groups
  • PowerShell: Get-ADGroup -Filter *
  • (Saas) Google Workspace: Admin SDK Directory API
  • Azure: Get-AzureADGroup
  • Microsoft 365: Graph API GET https://graph.microsoft.com/v1.0/groups

Data Collection Measures:

  • Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.
  • Directory Monitoring: Track logs like AD Event ID 4662 (object operations).
  • API Monitoring: Log API activity like AWS IAM queries.
  • SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).
  • SIEM Integration: Centralize group query tracking.

Group: Group Enumeration

Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:

  • AWS CLI: aws iam list-groups
  • PowerShell: Get-ADGroup -Filter *
  • (Saas) Google Workspace: Admin SDK Directory API
  • Azure: Get-AzureADGroup
  • Microsoft 365: Graph API GET https://graph.microsoft.com/v1.0/groups

Data Collection Measures:

  • Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.
  • Directory Monitoring: Track logs like AD Event ID 4662 (object operations).
  • API Monitoring: Log API activity like AWS IAM queries.
  • SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).
  • SIEM Integration: Centralize group query tracking.
Domain ID Name Detects
Enterprise T1087 .001 Account Discovery: Local Account

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

.002 Account Discovery: Domain Account

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

Enterprise T1069 Permission Groups Discovery

Monitor for an extracted list of ACLs of available groups and/or their associated settings.

.001 Local Groups

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

.002 Domain Groups

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

.003 Cloud Groups

Monitor for an extracted list of available groups and/or their associated setting

Group: Group Metadata

Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:

  • Active Directory: Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
  • Azure AD: Get-AzureADGroup -ObjectId <GroupId>
  • Google Workspace: GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • AWS IAM: aws iam list-group-policies --group-name <group_name>
  • Office 365: GET https://graph.microsoft.com/v1.0/groups/<id>

Data Collection Measures:

  • Cloud Logging:
    • AWS CloudTrail for IAM group-related activities.
    • Azure AD Sign-In/Audit logs for metadata changes.
    • Google Admin Activity logs for API calls.
  • Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
  • API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
  • SIEM Integration: Centralize group metadata logs for analysis.

Group: Group Metadata

Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:

  • Active Directory: Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
  • Azure AD: Get-AzureADGroup -ObjectId <GroupId>
  • Google Workspace: GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • AWS IAM: aws iam list-group-policies --group-name <group_name>
  • Office 365: GET https://graph.microsoft.com/v1.0/groups/<id>

Data Collection Measures:

  • Cloud Logging:
    • AWS CloudTrail for IAM group-related activities.
    • Azure AD Sign-In/Audit logs for metadata changes.
    • Google Admin Activity logs for API calls.
  • Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
  • API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
  • SIEM Integration: Centralize group metadata logs for analysis.
Domain ID Name Detects
Enterprise T1069 Permission Groups Discovery

Monitor for contextual data about a group which describes group and activity around it.

.003 Cloud Groups

Contextual data about a group which describes group and activity around it that may attempt to find cloud groups and permission settings.

Group: Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:

  • Active Directory:
    • Event ID 4728: Member added to a global group.
    • Event ID 4732: Member added to a local group.
  • Azure AD: Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
  • AWS IAM: aws iam update-group --group-name <GroupName> --new-path "/admin/"
  • Google Workspace: Modify permissions via Admin SDK API: PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • Office 365: Modify groups via Graph API: PATCH https://graph.microsoft.com/v1.0/groups/<groupId>

Data Collection Measures:

  • Directory Logging:
    • Windows: Log EIDs 4728 (add), 4729 (remove).
    • Azure AD: Enable "Audit logs."
    • Google Workspace: Enable Admin Activity logs.
    • Office 365: Use Unified Audit Logs.
  • Cloud Monitoring:
    • AWS: Log UpdateGroup, AttachGroupPolicy, RemoveUserFromGroup.
    • Azure: Track modifications via Audit logs.
  • API Monitoring: Log Google Admin SDK and Microsoft Graph API calls.
  • SIEM Integration: Centralize and monitor group modification logs.

Group: Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:

  • Active Directory:
    • Event ID 4728: Member added to a global group.
    • Event ID 4732: Member added to a local group.
  • Azure AD: Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
  • AWS IAM: aws iam update-group --group-name <GroupName> --new-path "/admin/"
  • Google Workspace: Modify permissions via Admin SDK API: PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • Office 365: Modify groups via Graph API: PATCH https://graph.microsoft.com/v1.0/groups/<groupId>

Data Collection Measures:

  • Directory Logging:
    • Windows: Log EIDs 4728 (add), 4729 (remove).
    • Azure AD: Enable "Audit logs."
    • Google Workspace: Enable Admin Activity logs.
    • Office 365: Use Unified Audit Logs.
  • Cloud Monitoring:
    • AWS: Log UpdateGroup, AttachGroupPolicy, RemoveUserFromGroup.
    • Azure: Track modifications via Audit logs.
  • API Monitoring: Log Google Admin SDK and Microsoft Graph API calls.
  • SIEM Integration: Centralize and monitor group modification logs.
Domain ID Name Detects
Enterprise T1098 Account Manipulation

Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.

.002 Additional Email Delegate Permissions

Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions (including memberships in privileged groups) being granted to compromised accounts.

References