Rules Contributing to Suspicious AWS IAM Activity Alert

The following rules are used to identify suspicious activity within AWS IAM logs. Any one or more of these will trigger a Suspicious AWS IAM Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS User Login Profile Was Modified

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

Rule ID

aws_2

Query

{'selection_source': {'eventSource': 'iam.amazonaws.com', 'eventName': 'UpdateLoginProfile'}, 'filter': {'userIdentity_arn|contains': 'requestParameters.userName'}, 'condition': 'selection_source and not filter'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,055fb148-60f8-462d-ad16-26926ce050f1

Author: toffeebr33k

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/08/09 high

  • Legit User Account Administration

AWS IAM Backdoor Users Keys

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Rule ID

aws_13

Query

{'selection_source': {'eventSource': 'iam.amazonaws.com', 'eventName': 'CreateAccessKey'}, 'filter': {'userIdentity_arn|contains': 'responseElements.accessKey.userName'}, 'condition': 'selection_source and not filter'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2

Author: faloker

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2020/02/12 medium

  • Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)

  • AWS API keys legitimate exchange workflows

AWS IAM User Addition to Group

Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).

Rule ID

aws_24

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'AddUserToGroup'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/06/04 low

  • Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS IAM Group Creation

Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.

Rule ID

aws_26

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateGroup'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1136

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/06/05 low

  • A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS IAM Assume Role Policy Update

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

Rule ID

aws_42

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'UpdateAssumeRolePolicy'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0004, T1078

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/07/06 low

  • Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS IAM Deactivation of MFA Device

Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.

Rule ID

aws_44

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': ['DeactivateMFADevice', 'DeleteVirtualMFADevice']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1531

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/26 medium

  • A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS IAM Group Deletion

Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.

Rule ID

aws_50

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'DeleteGroup'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0040, T1531

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2020/05/21 low

  • A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS New MFA Method Registered For User

The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.

Rule ID

aws_75

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateVirtualMFADevice'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0006, T1556

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2023-01-31 medium

  • Newly onboarded users who are registering an MFA method for the first time will also trigger this detection.

AWS IAM User Created

A new account has been created in AWS IAM.

Rule ID

aws_80

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateUser'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1136

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/01/05 medium N/A

Created AWS IAM Credentials

New IAM credentials have been generated.

Rule ID

aws_81

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateAccessKey'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/01/05 medium N/A

IAM Policy Modification

The IAM policies associated with a user have been modified.

Rule ID

aws_82

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'UpdateUserAccessPolicy'}, 'selection3': {'eventName': 'DeleteUserAccessPolicy'}, 'selection4': {'eventName': 'AddAccessPolicyToGroup'}, 'selection5': {'eventName': 'AddUserToGroup'}, 'selection6': {'eventName': 'RemoveUsersFromGroup'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5 or selection6)'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2022/01/05 medium N/A

AWS IAM AccessDenied Discovery Event

The following detection identifies AccessDenied event. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events.

Rule ID

aws_83

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'errorCode': 'AccessDenied'}, 'selection3': {'userIdentity_type': 'IAMUser'}, 'selection4': {'userAgent': '*.amazonaws.com'}, 'condition': 'selection1 and selection2 and selection3 and not selection4'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0007, T1580

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021-11-12 medium

  • It is possible to start this detection will need to be tuned by source IP or user.

AWS IAM Delete Policy

The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts.

Rule ID

aws_84

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'DeletePolicy'}, 'selection3': {'userAgent': '*.amazonaws.com'}, 'condition': 'selection1 and selection2 and not selection3'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021-04-01 medium

  • This detection will require tuning to provide high fidelity detection capabilities. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved separately and tuned for failed or success attempts only.

AWS IAM Failure Group Deletion

This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring.

Rule ID

aws_85

Query

{'selection2': {'eventSource': 'iam.amazonaws.com'}, 'selection3': {'eventName': 'DeleteGroup'}, 'selection4': {'errorCode': ['NoSuchEntityException', 'DeleteConflictException']}, 'selection5': {'errorCode': 'AccessDenied'}, 'selection6': {'userAgent': '*.amazonaws.com'}, 'condition': 'selection2 and selection3 and (selection4 or selection5) and not selection6'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1098

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021-04-01 medium

  • This detection will require tuning to provide high fidelity detection capabilities. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).

AWS SetDefaultPolicyVersion

This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy

Rule ID

aws_86

Query

{'selection2': {'eventName': 'SetDefaultPolicyVersion'}, 'selection3': {'eventSource': 'iam.amazonaws.com'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1078, T1078.004

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021-03-02 medium

  • While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources

AWS Create Policy Version to allow all resources

This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account.

Rule ID

aws_87

Query

{'selection2': {'eventName': 'CreatePolicyVersion'}, 'selection3': {'eventSource': 'iam.amazonaws.com'}, 'selection4': {'errorCode': 'success'}, 'condition': 'selection2 and selection3 and selection4'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1078, T1078.004

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022-05-17 medium

  • While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.

AWS CreateLoginProfile

This search looks for AWS CloudTrail events where a user A (victim A) creates a login profile.

Rule ID

aws_119

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateLoginProfile'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1136, T1136.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2021-07-19 medium

  • While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile.

AWS CreateAccessKey

This search looks for AWS CloudTrail events where a user creates access keys.

Rule ID

aws_120

Query

{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateAccessKey'}, 'selection3': {'userAgent': 'console.amazonaws.com'}, 'selection4': {'errorCode': 'success'}, 'condition': 'selection1 and (selection2 and (not selection3) and selection4)'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0003, T1136, T1136.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
production 2022-03-03 medium

  • Unknown