Name:AWS IAM Failure Group Deletion id:723b861a-92eb-11eb-93b8-acde48001122 version:5 date:2024-10-22 author:Michael Haag, Splunk status:production type:Anomaly Description:The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. This activity is significant as it may indicate unauthorized attempts to modify IAM group configurations, which could be a precursor to privilege escalation or other malicious actions. If confirmed malicious, this could allow an attacker to disrupt IAM policies, potentially leading to unauthorized access or denial of service within the AWS environment. Data_source:
-AWS CloudTrail DeleteGroup
search:`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`
how_to_implement:The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives:This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). References: -https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html -https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html drilldown_searches: name:'View the detection results for - "$user_arn$"' search:'%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user_arn$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'AWS IAM Privilege Escalation' asset_type:AWS Account confidence:50 impact:10 message:User $user_arn$ has had mulitple failures while attempting to delete groups from $src$ mitre_attack_id: - 'T1098' observable: name:'src' type:'IP Address' - role: - 'Attacker' name:'user_arn' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventName' - 'userAgent' - 'errorCode' - 'requestParameters.groupName' risk_score:5 security_domain:access
