Skip to content

Hide Navigation Hide TOC

Group Metadata (8d8c7cac-94cf-4726-8989-cab33851168c)

Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:

  • Active Directory: Get-ADGroup -Identity "Domain Admins" -Properties Members, Description
  • Azure AD: Get-AzureADGroup -ObjectId <GroupId>
  • Google Workspace: GET https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • AWS IAM: aws iam list-group-policies --group-name <group_name>
  • Office 365: GET https://graph.microsoft.com/v1.0/groups/<id>

Data Collection Measures:

  • Cloud Logging:
    • AWS CloudTrail for IAM group-related activities.
    • Azure AD Sign-In/Audit logs for metadata changes.
    • Google Admin Activity logs for API calls.
  • Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
  • API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
  • SIEM Integration: Centralize group metadata logs for analysis.
Cluster A Galaxy A Cluster B Galaxy B Level
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2) Attack Pattern Group Metadata (8d8c7cac-94cf-4726-8989-cab33851168c) mitre-data-component 1
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Group Metadata (8d8c7cac-94cf-4726-8989-cab33851168c) mitre-data-component 1
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2