A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights[1]
An extracted list of available groups and/or their associated settings (ex: AWS list-groups)
An extracted list of available groups and/or their associated settings (ex: AWS list-groups)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1069 | Permission Groups Discovery |
Monitor for an extracted list of ACLs of available groups and/or their associated settings |
|
| .003 | Cloud Groups |
Monitor for an extracted list of available groups and/or their associated setting |
||
Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group
Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1069 | Permission Groups Discovery |
Monitor for contextual data about a group which describes group and activity around it |
|
| .003 | Cloud Groups |
Contextual data about a group which describes group and activity around it that may attempt to find cloud groups and permission settings. |
||
Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)
Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1098 | Account Manipulation |
Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. |
|
| .002 | Additional Email Delegate Permissions |
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions (including memberships in privileged groups) being granted to compromised accounts. |
||