-
Notifications
You must be signed in to change notification settings - Fork 333
/
aws_iam_successful_group_deletion.yml
76 lines (76 loc) · 2.87 KB
/
aws_iam_successful_group_deletion.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: AWS IAM Successful Group Deletion
id: e776d06c-9267-11eb-819b-acde48001122
version: 2
date: '2024-05-29'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic identifies the successful deletion of an IAM group
in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success
status. This activity is significant as it could indicate potential changes in user
permissions or access controls, which may be a precursor to further unauthorized
actions. If confirmed malicious, an attacker could disrupt access management, potentially
leading to privilege escalation or unauthorized access to sensitive resources. Analysts
should review related IAM events, such as recent user additions or new group creations,
to assess the broader context.
data_source:
- AWS CloudTrail DeleteGroup
search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success
(userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as
lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource
errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`'
how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize
this data. The search requires AWS CloudTrail logs.
known_false_positives: This detection will require tuning to provide high fidelity
detection capabilties. Tune based on src addresses (corporate offices, VPN terminations)
or by groups of users. Not every user with AWS access should have permission to
delete groups (least privilege).
references:
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html
tags:
analytic_story:
- AWS IAM Privilege Escalation
asset_type: AWS Account
confidence: 50
impact: 10
message: User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$
from $src$
mitre_attack_id:
- T1069.003
- T1098
- T1069
observable:
- name: src
type: IP Address
role:
- Attacker
- name: user_arn
type: User
role:
- Victim
- name: group_deleted
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- userAgent
- errorCode
- requestParameters.groupName
risk_score: 5
security_domain: cloud
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true