Group

A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights^[1]

ID: DS0036

ⓘ

Platforms: IaaS, Identity Provider, Office Suite, SaaS, Windows

ⓘ

Collection Layers: Cloud Control Plane, Host

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 25 April 2025

Version Permalink

Live Version

Data Components

Group: Group Enumeration

Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:

AWS CLI: aws iam list-groups
PowerShell: Get-ADGroup -Filter *
(Saas) Google Workspace: Admin SDK Directory API
Azure: Get-AzureADGroup
Microsoft 365: Graph API GET https://graph.microsoft.com/v1.0/groups

Data Collection Measures:

Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.
Directory Monitoring: Track logs like AD Event ID 4662 (object operations).
API Monitoring: Log API activity like AWS IAM queries.
SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).
SIEM Integration: Centralize group query tracking.

Group: Group Enumeration

Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:

AWS CLI: aws iam list-groups
PowerShell: Get-ADGroup -Filter *
(Saas) Google Workspace: Admin SDK Directory API
Azure: Get-AzureADGroup
Microsoft 365: Graph API GET https://graph.microsoft.com/v1.0/groups

Data Collection Measures:

Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.
Directory Monitoring: Track logs like AD Event ID 4662 (object operations).
API Monitoring: Log API activity like AWS IAM queries.
SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).
SIEM Integration: Centralize group query tracking.

Domain	ID		Name	Detects
Enterprise	T1087	.001	Account Discovery: Local Account	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
		.002	Account Discovery: Domain Account	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
Enterprise	T1069		Permission Groups Discovery	Monitor for an extracted list of ACLs of available groups and/or their associated settings.
		.001	Local Groups	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
		.002	Domain Groups	Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
		.003	Cloud Groups	Monitor for an extracted list of available groups and/or their associated setting

Group: Group Metadata

Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:

Active Directory: Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
Azure AD: Get-AzureADGroup -ObjectId <GroupId>
Google Workspace: GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
AWS IAM: aws iam list-group-policies --group-name <group_name>
Office 365: GET https://graph.microsoft.com/v1.0/groups/<id>

Data Collection Measures:

Cloud Logging:
- AWS CloudTrail for IAM group-related activities.
- Azure AD Sign-In/Audit logs for metadata changes.
- Google Admin Activity logs for API calls.
Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
SIEM Integration: Centralize group metadata logs for analysis.

Group: Group Metadata

Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:

Active Directory: Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
Azure AD: Get-AzureADGroup -ObjectId <GroupId>
Google Workspace: GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
AWS IAM: aws iam list-group-policies --group-name <group_name>
Office 365: GET https://graph.microsoft.com/v1.0/groups/<id>

Data Collection Measures:

Cloud Logging:
- AWS CloudTrail for IAM group-related activities.
- Azure AD Sign-In/Audit logs for metadata changes.
- Google Admin Activity logs for API calls.
Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
SIEM Integration: Centralize group metadata logs for analysis.

Domain	ID		Name	Detects
Enterprise	T1069		Permission Groups Discovery	Monitor for contextual data about a group which describes group and activity around it.
		.003	Cloud Groups	Contextual data about a group which describes group and activity around it that may attempt to find cloud groups and permission settings.

Group: Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:

Active Directory:
- Event ID 4728: Member added to a global group.
- Event ID 4732: Member added to a local group.
Azure AD: Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
AWS IAM: aws iam update-group --group-name <GroupName> --new-path "/admin/"
Google Workspace: Modify permissions via Admin SDK API: PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
Office 365: Modify groups via Graph API: PATCH https://graph.microsoft.com/v1.0/groups/<groupId>

Data Collection Measures:

Directory Logging:
- Windows: Log EIDs 4728 (add), 4729 (remove).
- Azure AD: Enable "Audit logs."
- Google Workspace: Enable Admin Activity logs.
- Office 365: Use Unified Audit Logs.
Cloud Monitoring:
- AWS: Log UpdateGroup, AttachGroupPolicy, RemoveUserFromGroup.
- Azure: Track modifications via Audit logs.
API Monitoring: Log Google Admin SDK and Microsoft Graph API calls.
SIEM Integration: Centralize and monitor group modification logs.

Group: Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:

Active Directory:
- Event ID 4728: Member added to a global group.
- Event ID 4732: Member added to a local group.
Azure AD: Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
AWS IAM: aws iam update-group --group-name <GroupName> --new-path "/admin/"
Google Workspace: Modify permissions via Admin SDK API: PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
Office 365: Modify groups via Graph API: PATCH https://graph.microsoft.com/v1.0/groups/<groupId>

Data Collection Measures:

Directory Logging:
- Windows: Log EIDs 4728 (add), 4729 (remove).
- Azure AD: Enable "Audit logs."
- Google Workspace: Enable Admin Activity logs.
- Office 365: Use Unified Audit Logs.
Cloud Monitoring:
- AWS: Log UpdateGroup, AttachGroupPolicy, RemoveUserFromGroup.
- Azure: Track modifications via Audit logs.
API Monitoring: Log Google Admin SDK and Microsoft Graph API calls.
SIEM Integration: Centralize and monitor group modification logs.

Domain	ID		Name	Detects
Enterprise	T1098		Account Manipulation	Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.
		.002	Additional Email Delegate Permissions	Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions (including memberships in privileged groups) being granted to compromised accounts.

References

Amazon. (n.d.). IAM user groups. Retrieved October 13, 2021.