AWS IAM Group Creation

  1[metadata]
  2creation_date = "2020/06/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple
 11users. Any user in a group automatically has the permissions that are assigned to the group.
 12"""
 13false_positives = [
 14    """
 15    A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or
 16    hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be
 17    investigated. If known behavior is causing false positives, it can be exempted from the rule.
 18    """,
 19]
 20from = "now-60m"
 21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 22interval = "10m"
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS IAM Group Creation"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating AWS IAM Group Creation
 32
 33AWS IAM allows organizations to manage user access and permissions securely. Groups in IAM simplify permission management by allowing multiple users to inherit the same permissions. However, adversaries may exploit this by creating unauthorized groups to gain persistent access. The detection rule monitors successful group creation events, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized access attempts.
 34
 35### Possible investigation steps
 36
 37- Review the AWS CloudTrail logs for the specific event.provider: iam.amazonaws.com and event.action: CreateGroup to identify the user or service that initiated the group creation.
 38- Check the event.dataset: aws.cloudtrail logs for any associated event.outcome: success entries to confirm the successful creation of the group.
 39- Investigate the permissions assigned to the newly created group to assess if they include any sensitive or high-privilege permissions that could pose a security risk.
 40- Identify and review the IAM user or role that created the group to determine if they have a legitimate reason for this action and if their activity aligns with their typical behavior.
 41- Cross-reference the group creation event with other recent IAM activities, such as user additions to the group or changes to group policies, to detect any suspicious patterns or anomalies.
 42- Consult with relevant stakeholders or the user responsible for the group creation to verify the legitimacy of the action and gather additional context if necessary.
 43
 44### False positive analysis
 45
 46- Routine administrative actions by authorized personnel can trigger alerts. Regularly review and document legitimate group creation activities to differentiate them from unauthorized actions.
 47- Automated scripts or tools used for infrastructure management may create groups as part of their normal operation. Identify and whitelist these scripts to prevent unnecessary alerts.
 48- Temporary groups created for short-term projects or testing purposes might be flagged. Implement a naming convention for such groups and exclude them from alerts based on this pattern.
 49- Scheduled tasks or maintenance activities that involve group creation should be logged and approved in advance. Use these logs to create exceptions in the detection rule.
 50- Third-party integrations or services that require group creation for functionality can cause false positives. Verify these integrations and adjust the rule to exclude their known actions.
 51
 52### Response and remediation
 53
 54- Immediately review the AWS CloudTrail logs to confirm the unauthorized creation of the IAM group and identify the user or service responsible for the action.
 55- Revoke any permissions associated with the newly created IAM group to prevent further unauthorized access or actions.
 56- Temporarily disable or delete the unauthorized IAM group to contain the threat and prevent any potential misuse.
 57- Conduct a thorough audit of recent IAM changes to identify any other unauthorized activities or anomalies that may indicate further compromise.
 58- Escalate the incident to the security operations team for a detailed investigation and to assess the potential impact on the organization's security posture.
 59- Implement additional monitoring and alerting for IAM group creation events to enhance detection capabilities and prevent similar incidents in the future.
 60- Review and update IAM policies and permissions to ensure they follow the principle of least privilege, reducing the risk of unauthorized access.
 61
 62## Setup
 63
 64The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 65references = [
 66    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
 67    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html",
 68]
 69risk_score = 21
 70rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
 71severity = "low"
 72tags = [
 73    "Domain: Cloud",
 74    "Data Source: AWS",
 75    "Data Source: Amazon Web Services",
 76    "Data Source: AWS IAM",
 77    "Use Case: Identity and Access Audit",
 78    "Tactic: Persistence",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "query"
 83
 84query = '''
 85event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1136"
 93name = "Create Account"
 94reference = "https://attack.mitre.org/techniques/T1136/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1136.003"
 97name = "Cloud Account"
 98reference = "https://attack.mitre.org/techniques/T1136/003/"
 99
100
101
102[rule.threat.tactic]
103id = "TA0003"
104name = "Persistence"
105reference = "https://attack.mitre.org/tactics/TA0003/"