DS0036 Group
A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights1
| Item | Value |
|---|---|
| ID | DS0036 |
| Platforms | Azure AD, Google Workspace, IaaS, Office 365, SaaS, Windows |
| Collection Layers | Cloud Control Plane, Host |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 30 March 2022 |
Data Components
Group Enumeration
An extracted list of available groups and/or their associated settings (ex: AWS list-groups)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1087 | Account Discovery |
| enterprise | T1087.001 | Local Account |
| enterprise | T1087.002 | Domain Account |
| enterprise | T1069 | Permission Groups Discovery |
| enterprise | T1069.001 | Local Groups |
| enterprise | T1069.002 | Domain Groups |
| enterprise | T1069.003 | Cloud Groups |
Group Metadata
Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group
| Domain | ID | Name |
|---|---|---|
| enterprise | T1069 | Permission Groups Discovery |
| enterprise | T1069.003 | Cloud Groups |
Group Modification
Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1098 | Account Manipulation |
| enterprise | T1098.002 | Additional Email Delegate Permissions |