User Groups
Overview
Section titled “Overview”Evidence: User Groups
Description: Collect User Groups
Category: System
Platform: macos
Short Name: groups
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers user group information from macOS. This data is essential for understanding access control, detecting misconfigurations, and investigating group-based privilege assignments.
Data Collected
Section titled “Data Collected”This collector gathers structured data about user groups.
Collection Method
Section titled “Collection Method”This collector queries osquery’s groups table and records results into the user_groups table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals group memberships and elevated permissions, aiding detection of unauthorized privilege grants.