Rules Contributing to Suspicious AWS IAM Activity Alert
The following rules are used to identify suspicious activity within AWS IAM logs. Any one or more of these will trigger a Suspicious AWS IAM Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
AWS User Login Profile Was Modified |
An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. More details
Rule IDQuery{'selection_source': {'eventSource': 'iam.amazonaws.com', 'eventName': 'UpdateLoginProfile'}, 'filter': {'userIdentity_arn|contains': 'requestParameters.userName'}, 'condition': 'selection_source and not filter'} Log SourceStellar Cyber AWS configured for:
Rule SourceSigmaHQ,055fb148-60f8-462d-ad16-26926ce050f1 Author: toffeebr33k Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM Backdoor Users Keys |
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. More details
Rule IDQuery{'selection_source': {'eventSource': 'iam.amazonaws.com', 'eventName': 'CreateAccessKey'}, 'filter': {'userIdentity_arn|contains': 'responseElements.accessKey.userName'}, 'condition': 'selection_source and not filter'} Log SourceStellar Cyber AWS configured for:
Rule SourceSigmaHQ,0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2 Author: faloker Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM User Addition to Group |
Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'AddUserToGroup'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM Group Creation |
Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateGroup'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM Assume Role Policy Update |
Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'UpdateAssumeRolePolicy'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM Deactivation of MFA Device |
Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': ['DeactivateMFADevice', 'DeleteVirtualMFADevice']}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM Group Deletion |
Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'DeleteGroup'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
||||||||
AWS New MFA Method Registered For User |
The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateVirtualMFADevice'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity80 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM User Created |
A new account has been created in AWS IAM. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateUser'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Created AWS IAM Credentials |
New IAM credentials have been generated. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateAccessKey'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
IAM Policy Modification |
The IAM policies associated with a user have been modified. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'UpdateUserAccessPolicy'}, 'selection3': {'eventName': 'DeleteUserAccessPolicy'}, 'selection4': {'eventName': 'AddAccessPolicyToGroup'}, 'selection5': {'eventName': 'AddUserToGroup'}, 'selection6': {'eventName': 'RemoveUsersFromGroup'}, 'condition': 'selection1 and (selection2 or selection3 or selection4 or selection5 or selection6)'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM AccessDenied Discovery Event |
The following detection identifies AccessDenied event. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'errorCode': 'AccessDenied'}, 'selection3': {'userIdentity_type': 'IAMUser'}, 'selection4': {'userAgent': '*.amazonaws.com'}, 'condition': 'selection1 and selection2 and selection3 and not selection4'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity20 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM Delete Policy |
The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'DeletePolicy'}, 'selection3': {'userAgent': '*.amazonaws.com'}, 'condition': 'selection1 and selection2 and not selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity20 Suppression Logic Based On
Additional Information
|
||||||||
AWS IAM Failure Group Deletion |
This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. More details
Rule IDQuery{'selection2': {'eventSource': 'iam.amazonaws.com'}, 'selection3': {'eventName': 'DeleteGroup'}, 'selection4': {'errorCode': ['NoSuchEntityException', 'DeleteConflictException']}, 'selection5': {'errorCode': 'AccessDenied'}, 'selection6': {'userAgent': '*.amazonaws.com'}, 'condition': 'selection2 and selection3 and (selection4 or selection5) and not selection6'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity10 Suppression Logic Based On
Additional Information
|
||||||||
AWS SetDefaultPolicyVersion |
This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy More details
Rule IDQuery{'selection2': {'eventName': 'SetDefaultPolicyVersion'}, 'selection3': {'eventSource': 'iam.amazonaws.com'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
AWS Create Policy Version to allow all resources |
This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account. More details
Rule IDQuery{'selection2': {'eventName': 'CreatePolicyVersion'}, 'selection3': {'eventSource': 'iam.amazonaws.com'}, 'selection4': {'errorCode': 'success'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity70 Suppression Logic Based On
Additional Information
|
||||||||
AWS CreateLoginProfile |
This search looks for AWS CloudTrail events where a user A (victim A) creates a login profile. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateLoginProfile'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity90 Suppression Logic Based On
Additional Information
|
||||||||
AWS CreateAccessKey |
This search looks for AWS CloudTrail events where a user creates access keys. More details
Rule IDQuery{'selection1': {'eventSource': 'iam.amazonaws.com'}, 'selection2': {'eventName': 'CreateAccessKey'}, 'selection3': {'userAgent': 'console.amazonaws.com'}, 'selection4': {'errorCode': 'success'}, 'condition': 'selection1 and (selection2 and (not selection3) and selection4)'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferencesSeverity70 Suppression Logic Based On
Additional Information
|