Sample rules
AWS IAM Delete Policy
- source: splunk
- technicques:
- T1098
Description
The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify DeletePolicy events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_delete_policy_filter`
ASL AWS IAM Delete Policy
- source: splunk
- technicques:
- T1098
Description
The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources.
Detection logic
`amazon_security_lake` api.operation=DeletePolicy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_delete_policy_filter`
AWS IAM Assume Role Policy Brute Force
- source: splunk
- technicques:
- T1580
- T1110
Description
The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify MalformedPolicyDocumentException errors with a status of failure and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.
Detection logic
`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn
| where count >= 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_assume_role_policy_brute_force_filter`
Sample rules
AWS IAM Delete Policy
- source: splunk
- technicques:
- T1098
Description
The following analytic detects the deletion of an IAM policy in AWS. It leverages AWS CloudTrail logs to identify DeletePolicy events, excluding those from AWS internal services. This activity is significant as unauthorized policy deletions can disrupt access controls and weaken security postures. If confirmed malicious, an attacker could remove critical security policies, potentially leading to privilege escalation, unauthorized access, or data exfiltration. Monitoring this behavior helps ensure that only authorized changes are made to IAM policies, maintaining the integrity and security of the AWS environment.
Detection logic
`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_delete_policy_filter`
ASL AWS IAM Delete Policy
- source: splunk
- technicques:
- T1098
Description
The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources.
Detection logic
`amazon_security_lake` api.operation=DeletePolicy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_delete_policy_filter`
AWS IAM Assume Role Policy Brute Force
- source: splunk
- technicques:
- T1580
- T1110
Description
The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify MalformedPolicyDocumentException errors with a status of failure and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.
Detection logic
`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn
| where count >= 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_assume_role_policy_brute_force_filter`
ASL AWS IAM Failure Group Deletion
- source: splunk
- technicques:
- T1098
Description
The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture.
Detection logic
`amazon_security_lake` api.operation=DeleteGroup api.response.error IN (NoSuchEntityException,DeleteConflictException, AccessDenied) http_request.user_agent!=*.amazonaws.com
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_failure_group_deletion_filter`
AWS IAM Successful Group Deletion
- source: splunk
- technicques:
- T1069.003
- T1098
- T1069
Description
The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect DeleteGroup events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.
Detection logic
`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_successful_group_deletion_filter`
AWS IAM Failure Group Deletion
- source: splunk
- technicques:
- T1098
Description
The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or AccessDenied. This activity is significant as it may indicate unauthorized attempts to modify IAM group configurations, which could be a precursor to privilege escalation or other malicious actions. If confirmed malicious, this could allow an attacker to disrupt IAM policies, potentially leading to unauthorized access or denial of service within the AWS environment.
Detection logic
`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_failure_group_deletion_filter`
ASL AWS IAM Successful Group Deletion
- source: splunk
- technicques:
- T1069.003
- T1098
- T1069
Description
The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations.
Detection logic
`amazon_security_lake` api.operation=DeleteGroup status=Success
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.account_uid actor.user.name actor.user.uid http_request.user_agent src_endpoint.ip cloud.region
| rename actor.user.name as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_iam_successful_group_deletion_filter`