security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/rules/integrations/aws/impact_iam_group_deletion.toml
T
Isai f02589c249 [Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion (#5269) 
* [Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access

AWS S3 Bucket Policy Added to Share with External Account
Low telemetry volume overall, however false positives were seen for cloudfront identity and service accounts being given access to a bucket
- Reduced the scope of this rule to only analyze policy that include account ids or account ARNs (which include an account ID). This eliminates the false positives triggered by sharing buckets with a service account (i.e. cloudtrail.amazonaws.com)
- Excluded cloudfront identity, which should be treated the same way service accounts are being treated and be excluded as they do not include account IDs in their ARN
- This rule wasn't explicitly capturing the use of `Principal: *` which is a public sharing method, often accompanied by a Condition statement (i.e. aws.SourceAccount =  OR aws.PrincipalAccount= OR ip.address = ....). The new query will capture Condition statements that include an account id. However there is still a gap for Policies that have explicit `Principal:*` with or without a condition, so another rule was created that will account for these scenarios.
- added highlighted fields
- updated investigation guide and description
- updated Mitre tactics and tags
- `event.type` used in place of `event.category` field

### AWS S3 Bucket Policy Added to Allow Public Access
Rule added to cover gap in public bucket policy added which includes an `Effect=Allow` and `Principal: *`. While an additional condition might be added to this policy which would exclude public access, cases where the condition is not included mean the bucket is publicly accessible. Both cases need to be verified, because even the condition could be giving access to an attacker owned account. There is also the chance that an `Effect=Deny` for `Principal:*` will trigger a false positive for this rule if the same policy also includes an `Effect=Allow` statement. We call this out in the description, false positive and investigation guide sections of the rule.

* [Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion

All 3 rules are showing extremely low telemetry volume as expected. No major changes needed to these queries.
- updated the descriptions, investigation guides and false positive sections
- reduced execution window
- added highlighted fields

* slight edit to description

* Revert "[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access"

This reverts commit 776d748a11d11f2c0e974e68c9e3adc77dcb3d9f.

* Update rules/integrations/aws/persistence_iam_group_creation.toml
2025-11-14 02:34:28 -05:00

120 lines
5.1 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/05/21"
integration = ["aws"]
maturity = "production"
updated_date = "2025/10/30"
[rule]
author = ["Elastic"]
description = """
Detects when an IAM group is deleted using the DeleteGroup API call. Deletion of an IAM group may represent a malicious
attempt to remove audit trails, disrupt operations, or hide adversary activity (for example after using the group
briefly for privileged access). This can be an indicator of impact or cleanup in an attack lifecycle.
"""
false_positives = [
"""
Legitimate group deletion during decommissioning of projects, clean-up of service accounts, or identity lifecycle
changes may trigger this alert. Verify whether the user identity, user agent, and/or hostname should be making
changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known
behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Group Deletion"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS IAM Group Deletion
Attackers sometimes remove groups to erase evidence, disrupt operations, or prevent users from receiving needed permissions (Impact). Deletion can also follow malicious cleanup after attaching policies and using the group briefly. This alert fires on `DeleteGroup` API call. Consider intentional disruption or covering tracks, particularly if the group was privileged or recently modified.
### Possible investigation steps
- **Identify the actor and environment**
- Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.access_key_id`.
- Check `source.ip`, `user_agent.original`, `cloud.account.id`, `cloud.region` for atypical activity.
- **Determine what was lost**
- From `aws.cloudtrail.request_parameters`, capture `groupName`.
- Use history or logs to identify existing members and attached policies prior to deletion (ex: `GetGroup`, `ListAttachedGroupPolicies`).
- Determine if the group contained privileged roles/policies that could have been weaponized.
- **Correlate with related activity**
- Look in the prior 124h for `DetachGroupPolicy`, `RemoveUserFromGroup`, `DeleteGroupPolicy`, which often precede deletion in adversary cleanup workflows.
- After deletion, monitor for creation of new similarly-named groups, or re-attachment of policies to other groups/roles.
### False positive analysis
- Projects & services that are being decommissioned often require group deletion. Confirm through internal inventory and change control.
- Sandbox or dev accounts frequently create and delete groups; ensure the environment context is understood.
### Response and remediation
- **Containment**: If deletion was unauthorized, restrict the actors IAM privileges and block further configuration changes.
- **Investigation and scoping**: Recover details of the deleted group (members, policies) from logs or AWS Config, and determine the impact of the deletion (which users lost membership, service account disruption).
- **Recovery and hardening**: Recreate the group if necessary, restore intended policies and memberships, enforce change-control for group deletions, restrict `iam:DeleteGroup` privileges, and create alerts for destructive IAM operations.
### Additional information
[AWS Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)
"""
references = [
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html",
"https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html",
]
risk_score = 21
rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS IAM",
"Tactic: Impact",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: aws.cloudtrail and
event.provider: iam.amazonaws.com and
event.action: DeleteGroup and
event.outcome: success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1531"
name = "Account Access Removal"
reference = "https://attack.mitre.org/techniques/T1531/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
]
Reference in New Issue View Git Blame Copy Permalink