security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/rules/integrations/aws/persistence_iam_group_creation.toml
T
Isai f02589c249 [Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion (#5269) 
* [Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access

AWS S3 Bucket Policy Added to Share with External Account
Low telemetry volume overall, however false positives were seen for cloudfront identity and service accounts being given access to a bucket
- Reduced the scope of this rule to only analyze policy that include account ids or account ARNs (which include an account ID). This eliminates the false positives triggered by sharing buckets with a service account (i.e. cloudtrail.amazonaws.com)
- Excluded cloudfront identity, which should be treated the same way service accounts are being treated and be excluded as they do not include account IDs in their ARN
- This rule wasn't explicitly capturing the use of `Principal: *` which is a public sharing method, often accompanied by a Condition statement (i.e. aws.SourceAccount =  OR aws.PrincipalAccount= OR ip.address = ....). The new query will capture Condition statements that include an account id. However there is still a gap for Policies that have explicit `Principal:*` with or without a condition, so another rule was created that will account for these scenarios.
- added highlighted fields
- updated investigation guide and description
- updated Mitre tactics and tags
- `event.type` used in place of `event.category` field

### AWS S3 Bucket Policy Added to Allow Public Access
Rule added to cover gap in public bucket policy added which includes an `Effect=Allow` and `Principal: *`. While an additional condition might be added to this policy which would exclude public access, cases where the condition is not included mean the bucket is publicly accessible. Both cases need to be verified, because even the condition could be giving access to an attacker owned account. There is also the chance that an `Effect=Deny` for `Principal:*` will trigger a false positive for this rule if the same policy also includes an `Effect=Allow` statement. We call this out in the description, false positive and investigation guide sections of the rule.

* [Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion

All 3 rules are showing extremely low telemetry volume as expected. No major changes needed to these queries.
- updated the descriptions, investigation guides and false positive sections
- reduced execution window
- added highlighted fields

* slight edit to description

* Revert "[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access"

This reverts commit 776d748a11d11f2c0e974e68c9e3adc77dcb3d9f.

* Update rules/integrations/aws/persistence_iam_group_creation.toml
2025-11-14 02:34:28 -05:00

137 lines
5.7 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/06/05"
integration = ["aws"]
maturity = "production"
updated_date = "2025/10/30"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple
users. Any user in a group automatically has the permissions that are assigned to the group. Adversaries who obtain
credentials with IAM write privileges may create a new group as a foothold for persistence: they can later attach
admin-level policies to the group and quietly add users or roles to inherit those privileges.
"""
false_positives = [
"""
A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or
hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be
investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Group Creation"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS IAM Group Creation
AWS IAM allows organizations to manage user access and permissions securely. Groups in IAM simplify permission management by allowing multiple users to inherit the same permissions. However, adversaries may exploit this by creating unauthorized groups to gain persistent access. This alert fires on `CreateGroup`. New group creation may indicate attacker staging for persistence, especially if followed by policy attachments or user additions.
#### Possible investigation steps
- **Identify the actor and context**
- Check `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.access_key_id` to determine who performed the group creation.
- Review `source.ip`, `user_agent.original`, `cloud.account.id`, `cloud.region` for unusual network, client, or region usage.
- **Examine the group details**
- From `aws.cloudtrail.response_elements`, extract `groupName` and `path` (e.g., /service/, /dev/).
- Look for immediate follow-on changes by the same actor within the next 1530 minutes:
- AttachGroupPolicy (especially AdministratorAccess or broad s3:*, iam:*).
- AddUserToGroup (who was added and when?).
- Use GetGroup to enumerate current group membership and attached policies during triage.
- **Correlate with broader activity**
- Look for prior suspicious actions by the same user: `AssumeRole`, `CreateAccessKey`, new IAM user/role.
- After group creation, watch for data-access or configuration changes (e.g., S3 policy updates, KMS key policy changes)
### False positive analysis
- IAM onboarding workflows or DevOps pipelines creating groups for new projects can trigger this alert.
- Test or sandbox accounts often create and delete groups routinely, validate account context and approval flows.
### Response and remediation:
- **Containment**:
- If suspicious, disable further changes by the actor (temporarily remove IAM write privileges or deactivate keys).
- Place a change freeze on the newly created group (block `AttachGroupPolicy`/`AddUserToGroup` via SCP/permissions boundary until review completes).
- **Investigation and scoping**:
- Use `GetGroup`, `ListAttachedGroupPolicies`, `ListUsersInGroup` to enumerate the groups state and identify any suspicious policies or members. Investigate any attached policies granting broad privileges.
- Hunt for same-actor `AttachGroupPolicy`/`AddUserToGroup` events across the last 2448h.
- **Recovery and hardening**:
- Delete unauthorized, unused or suspicious groups. remove rogue policies/members.
- Restrict who can call `iam:CreateGroup`, `iam:AttachGroupPolicy`, and `iam:AddUserToGroup` (least privilege).
### Additional information
[AWS Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)
"""
references = [
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
"https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html",
]
risk_score = 21
rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS IAM",
"Use Case: Identity and Access Audit",
"Tactic: Persistence",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: aws.cloudtrail and
event.provider: iam.amazonaws.com and
event.action: CreateGroup and
event.outcome: success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"
[[rule.threat.technique.subtechnique]]
id = "T1136.003"
name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1136/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements",
]
Reference in New Issue View Git Blame Copy Permalink