AWS IAM Successful Group Deletion

Original Source: [splunk source]
Name:AWS IAM Successful Group Deletion
id:e776d06c-9267-11eb-819b-acde48001122
version:4
date:2024-10-22
author:Michael Haag, Splunk
status:production
type:Hunting
Description:The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.
Data_source:
  • -AWS CloudTrail DeleteGroup
search:`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_successful_group_deletion_filter`

how_to_implement:The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.
known_false_positives:This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).
References:
  -https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html
   -https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'AWS IAM Privilege Escalation'
  asset_type:AWS Account
  confidence:50
  impact:10
  message:User $user_arn$ has sucessfully deleted mulitple groups $group_deleted$ from $src$
  mitre_attack_id:
    - 'T1069.003'
    - 'T1098'
    - 'T1069'
  observable:
    name:'src'
    type:'IP Address'
    - role:
      - 'Attacker'
    name:'user_arn'
    type:'User'
    - role:
      - 'Victim'
    name:'group_deleted'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'eventName'
    - 'userAgent'
    - 'errorCode'
    - 'requestParameters.groupName'
  risk_score:5
  security_domain:access

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json
  sourcetype: aws:cloudtrail
  source: aws_cloudtrail
  update_timestamp: True
manual_test:None

Related Analytic Stories


AWS IAM Privilege Escalation

© 2024 DetectionCode Website. All Rights Reserved.