Skip to content

Hide Navigation Hide TOC

Group Modification (05d5b5b4-ef93-4807-b05f-33d8c5a35bc5)

Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:

  • Active Directory:
    • Event ID 4728: Member added to a global group.
    • Event ID 4732: Member added to a local group.
  • Azure AD: Set-AzureADGroup -ObjectId <GroupId> -DisplayName "New Name"
  • AWS IAM: aws iam update-group --group-name <GroupName> --new-path "/admin/"
  • Google Workspace: Modify permissions via Admin SDK API: PATCH https://admin.googleapis.com/admin/directory/v1/groups/<groupKey>
  • Office 365: Modify groups via Graph API: PATCH https://graph.microsoft.com/v1.0/groups/<groupId>

Data Collection Measures:

  • Directory Logging:
    • Windows: Log EIDs 4728 (add), 4729 (remove).
    • Azure AD: Enable "Audit logs."
    • Google Workspace: Enable Admin Activity logs.
    • Office 365: Use Unified Audit Logs.
  • Cloud Monitoring:
    • AWS: Log UpdateGroup, AttachGroupPolicy, RemoveUserFromGroup.
    • Azure: Track modifications via Audit logs.
  • API Monitoring: Log Google Admin SDK and Microsoft Graph API calls.
  • SIEM Integration: Centralize and monitor group modification logs.
Cluster A Galaxy A Cluster B Galaxy B Level
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Group Modification (05d5b5b4-ef93-4807-b05f-33d8c5a35bc5) mitre-data-component 1
Group Modification (05d5b5b4-ef93-4807-b05f-33d8c5a35bc5) mitre-data-component Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2