AddUserToGroup
Event
Adds an IAM user to a specified group, granting the user all permissions attached to that group.
Security Context
- Adding users to privileged groups is a common persistence technique that grants broad permissions while appearing as routine administration.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.