-
Notifications
You must be signed in to change notification settings - Fork 353
/
aws_iam_failure_group_deletion.yml
71 lines (71 loc) · 2.84 KB
/
aws_iam_failure_group_deletion.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: AWS IAM Failure Group Deletion
id: 723b861a-92eb-11eb-93b8-acde48001122
version: 3
date: '2024-05-11'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic identifies failed attempts to delete AWS IAM groups.
It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails
due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied.
This activity is significant as it may indicate unauthorized attempts to modify
IAM group configurations, which could be a precursor to privilege escalation or
other malicious actions. If confirmed malicious, this could allow an attacker to
disrupt IAM policies, potentially leading to unauthorized access or denial of service
within the AWS environment.
data_source:
- AWS CloudTrail DeleteGroup
search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode
IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName)
as group_name by src eventName eventSource aws_account_id errorCode errorMessage
userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`'
how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize
this data. The search requires AWS CloudTrail logs.
known_false_positives: This detection will require tuning to provide high fidelity
detection capabilties. Tune based on src addresses (corporate offices, VPN terminations)
or by groups of users. Not every user with AWS access should have permission to
delete groups (least privilege).
references:
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html
tags:
analytic_story:
- AWS IAM Privilege Escalation
asset_type: AWS Account
confidence: 50
impact: 10
message: User $user_arn$ has had mulitple failures while attempting to delete groups
from $src$
mitre_attack_id:
- T1098
observable:
- name: src
type: IP Address
role:
- Attacker
- name: user_arn
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- userAgent
- errorCode
- requestParameters.groupName
risk_score: 5
security_domain: cloud
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true