Evidence: User Groups
Description: Collect User Groups
Category: System
Platform: macos
Short Name: groups
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
This collector gathers user group information from macOS. This data is essential for understanding access control, detecting misconfigurations, and investigating group-based privilege assignments.
Data Collected
This collector gathers structured data about user groups.
Collection Method
This collector queries osquery’s groups table and records results into the user_groups table.
Forensic Value
This evidence is crucial for forensic investigations as it reveals group memberships and elevated permissions, aiding detection of unauthorized privilege grants.
