DC0099 Group Enumeration
| Item | Value |
|---|---|
| ID | DC0099 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 21 October 2025 |
Log Sources
| Name | Channel |
|---|---|
| AWS:CloudTrail | ListGroups, ListAttachedRolePolicies |
| azure:audit | az ad user get-member-groups, Get-AzRoleAssignment |
| gcp:audit | cloudidentity.groups.list |
| saas:github | GET /orgs/:org/teams, GET /teams/:team/members |
| saas:salesforce | GET /services/data/vXX.X/groups |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0251 | Behavioral Detection of Cloud Group Enumeration via API and CLI Access | T1069.003 |