a group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1136
aws
elastic

Techniques

T1136

Sample rules

AWS IAM Group Creation

source: elastic
technicques:
- T1136

Description

Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. Adversaries who obtain credentials with IAM write privileges may create a new group as a foothold for persistence: they can later attach admin-level policies to the group and quietly add users or roles to inherit those privileges.

Detection logic

event.dataset: aws.cloudtrail and 
    event.provider: iam.amazonaws.com and 
    event.action: CreateGroup and 
    event.outcome: success