User Groups

Overview

Evidence: User Groups Description: Collect User Groups Category: System Platform: macos Short Name: groups Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers user group information from macOS. This data is essential for understanding access control, detecting misconfigurations, and investigating group-based privilege assignments.

Data Collected

This collector gathers structured data about user groups.

Collection Method

This collector queries osquery’s groups table and records results into the user_groups table.

Forensic Value

This evidence is crucial for forensic investigations as it reveals group memberships and elevated permissions, aiding detection of unauthorized privilege grants.