{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-access-removal/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["IAM"],"_cs_severities":["low"],"_cs_tags":["aws","iam","cloudtrail","impact","account-access-removal"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis alert focuses on the detection of IAM group deletions within Amazon Web Services (AWS) environments. The rule triggers when the \u003ccode\u003eDeleteGroup\u003c/code\u003e API call is observed in AWS CloudTrail logs, indicating that an IAM group has been removed. While legitimate IAM group deletions occur, this action can also be indicative of malicious activity. Adversaries may delete IAM groups to erase evidence of their presence, disrupt operations by removing necessary permissions for users or services, or hide their actions after using the group to gain privileged access. This activity often follows the successful exploitation of a vulnerability or the compromise of an account. Detecting this activity provides security teams with a chance to investigate potential unauthorized access, policy changes, or other malicious actions performed using the deleted group's privileges. It is important to correlate this activity with other events in the environment to determine if it is part of a broader attack campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the AWS environment through compromised credentials or by exploiting a vulnerability in a service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to elevate their privileges to gain more control over the AWS environment, potentially by attaching policies to themselves or assuming roles.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the AWS environment, accessing different resources and services using their elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Access:\u003c/strong\u003e The attacker accesses sensitive resources, such as data stores, applications, or infrastructure components, to gather information or achieve their objectives.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to steal additional credentials, such as IAM user credentials or EC2 instance profiles, to further expand their access and maintain persistence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification/Attachment:\u003c/strong\u003e The attacker may modify IAM policies or attach policies to IAM groups to grant themselves additional permissions or control over resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIAM Group Deletion:\u003c/strong\u003e The attacker deletes an IAM group using the \u003ccode\u003eDeleteGroup\u003c/code\u003e API call in an attempt to remove audit trails, disrupt operations, or hide their activity after using the group for privileged access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, such as data exfiltration, system disruption, or financial gain, potentially leaving the environment in a compromised state.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an IAM group can lead to several negative impacts. Firstly, it can disrupt operations by removing necessary permissions for users or services that were members of the group. Secondly, it can erase audit trails by removing a key piece of evidence that could be used to track an attacker's actions. Finally, it can hide an attacker's activity after they have used the group to gain privileged access. The scope of the impact depends on the group's permissions and the resources it had access to, as well as whether or not other groups or roles can take over its functionality.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS IAM Group Deletion Detected\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized IAM group deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected IAM group deletions to determine if they are legitimate or indicative of malicious activity, referencing the investigation steps in the rule's \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eMonitor for related activity, such as \u003ccode\u003eDetachGroupPolicy\u003c/code\u003e, \u003ccode\u003eRemoveUserFromGroup\u003c/code\u003e, \u003ccode\u003eDeleteGroupPolicy\u003c/code\u003e, which often precede deletion.\u003c/li\u003e\n\u003cli\u003eEnforce change-control for group deletions and restrict \u003ccode\u003eiam:DeleteGroup\u003c/code\u003e privileges, as suggested in the rule's \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-iam-group-deletion/","summary":"Detection of AWS IAM group deletion via the DeleteGroup API call, which may indicate an attacker removing audit trails, disrupting operations, or concealing privileged access activity.","title":"AWS IAM Group Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-iam-group-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Account-Access-Removal","version":"https://jsonfeed.org/version/1.1"}