1. Home
  2. Data Sources
  3. Group

Group

A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights[1]

ID: DS0036
Platforms: Azure AD, Google Workspace, IaaS, Office 365, SaaS, Windows
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022
Version Permalink

Data Components

Group: Group Enumeration

An extracted list of available groups and/or their associated settings (ex: AWS list-groups)

Group: Group Enumeration

An extracted list of available groups and/or their associated settings (ex: AWS list-groups)

Domain ID Name Detects
Enterprise T1087 .001 Account Discovery: Local Account

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
.002 Account Discovery: Domain Account

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
Enterprise T1069 Permission Groups Discovery

Monitor for an extracted list of ACLs of available groups and/or their associated settings.
.001 Local Groups

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
.002 Domain Groups

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.
.003 Cloud Groups

Monitor for an extracted list of available groups and/or their associated setting

Group: Group Metadata

Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group

Group: Group Metadata

Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group

Domain ID Name Detects
Enterprise T1069 Permission Groups Discovery

Monitor for contextual data about a group which describes group and activity around it.
.003 Cloud Groups

Contextual data about a group which describes group and activity around it that may attempt to find cloud groups and permission settings.

Group: Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)

Group: Group Modification

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)

Domain ID Name Detects
Enterprise T1098 Account Manipulation

Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.
.002 Additional Email Delegate Permissions

Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions (including memberships in privileged groups) being granted to compromised accounts.

References

  1. Amazon. (n.d.). IAM user groups. Retrieved October 13, 2021.