Privilege Escalation: Privileged Group Opened To Public
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
This finding isn't available for project-level activations.
Open a Privilege Escalation: Privileged Group Opened To Public
finding, as directed in Reviewing findings.
The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Principal email: the account that made the changes, which
might be compromised.
Affected resource
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
Click the JSON tab.
In the JSON, note the following fields.
groupName: the Google Group where the changes were made
sensitiveRoles: the sensitive roles associated with this group
whoCanJoin: the joinability setting of the group
Step 2: Review group access settings
Go to the Admin Console for Google Groups. You must be a Google
Workspace Admin to sign in to the console.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Privilege Escalation: Privileged Group Opened To Public\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\nThis finding isn't available for project-level activations.\n\nA privileged Google Group (a group granted [sensitive roles or\npermissions](/security-command-center/docs/concepts-event-threat-detection-overview#sensitive_roles)) was\nmade accessible to the general public.\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open a `Privilege Escalation: Privileged Group Opened To Public`\n finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings).\n The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Principal email**: the account that made the changes, which might be compromised.\n - **Affected resource**\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n\n 1. Click the **JSON** tab.\n 2. In the JSON, note the following fields.\n\n - `groupName`: the Google Group where the changes were made\n - `sensitiveRoles`: the sensitive roles associated with this group\n - `whoCanJoin`: the joinability setting of the group\n\n### Step 2: Review group access settings\n\n1. Go to the **Admin Console** for Google Groups. You must be a Google\n Workspace Admin to sign in to the console.\n\n [Go to Admin Console](https://admin.google.com)\n2. In the navigation pane, click **Directory** , and then select **Groups**.\n\n3. Click the name of the group you want to review.\n\n4. Click **Access Settings** , and then, under **Who can join the group**,\n review the group's joinability setting.\n\n5. In the drop-down menu, if needed, change the joinability setting.\n\n### Step 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. If necessary, select your project.\n\n3. On the page that loads, check logs for Google Group settings changes\n using the following filters:\n\n - `protoPayload.methodName=\"google.admin.AdminService.changeGroupSetting\"`\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eprincipalEmail\u003c/var\u003e`\"`\n\n### Step 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n2. To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
