Skip to content

Hide Navigation Hide TOC

Group Enumeration (8e44412e-3238-4d64-8878-4f11e27784fe)

Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:

  • AWS CLI: aws iam list-groups
  • PowerShell: Get-ADGroup -Filter *
  • (Saas) Google Workspace: Admin SDK Directory API
  • Azure: Get-AzureADGroup
  • Microsoft 365: Graph API GET https://graph.microsoft.com/v1.0/groups

Data Collection Measures:

  • Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.
  • Directory Monitoring: Track logs like AD Event ID 4662 (object operations).
  • API Monitoring: Log API activity like AWS IAM queries.
  • SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).
  • SIEM Integration: Centralize group query tracking.
Cluster A Galaxy A Cluster B Galaxy B Level
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2) Attack Pattern Group Enumeration (8e44412e-3238-4d64-8878-4f11e27784fe) mitre-data-component 1
Group Enumeration (8e44412e-3238-4d64-8878-4f11e27784fe) mitre-data-component Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 1
Group Enumeration (8e44412e-3238-4d64-8878-4f11e27784fe) mitre-data-component Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
Group Enumeration (8e44412e-3238-4d64-8878-4f11e27784fe) mitre-data-component Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 1
Group Enumeration (8e44412e-3238-4d64-8878-4f11e27784fe) mitre-data-component Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 1
Group Enumeration (8e44412e-3238-4d64-8878-4f11e27784fe) mitre-data-component Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 1
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2