detection.wiki

Detection rules › Panther

AWS.Administrative.IAM.User.Created

Severity
informational
Time window
1h
Match by
p_alert_context.request_username
Tags
Beta
Reference
https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user/
Source
github.com/panther-labs/panther-analysis

Identifies when an Administrative IAM user is creates. This could indicate a potential security breach.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts
PersistenceT1078 Valid Accounts
Privilege EscalationT1078 Valid Accounts
StealthT1078 Valid Accounts

Rule body yaml

AnalysisType: correlation_rule
RuleID: "AWS.Administrative.IAM.User.Created"
DisplayName: "AWS.Administrative.IAM.User.Created"
Enabled: true
Severity: Info
Tags:
  - Beta
Description: Identifies when an Administrative IAM user is creates. This could indicate a potential security breach.
Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-create-admin-user/
Reports:
  MITRE ATT&CK:
    - TA0006:T1078
Detection:
    - Sequence:
        - ID: CreateUser
          RuleID: AWS.IAM.CreateUser
        - ID: AttachAdminUserPolicy
          RuleID: AWS.IAM.AttachAdminUserPolicy
      Transitions:
        - ID: CreateUser FOLLOWED BY AttachAdminUserPolicy
          From: CreateUser
          To: AttachAdminUserPolicy
          WithinTimeFrameMinutes: 60
          Match:
            - On: p_alert_context.request_username
      LookbackWindowMinutes: 2160
      Schedule:
        RateMinutes: 1440
        TimeoutMinutes: 5
Tests:
    - Name: User Created, Followed By Admin Policy Attachment
      ExpectedResult: true
      RuleOutputs:
        - ID: CreateUser
          Matches:
            p_alert_context.request_username:
              'new-user':
                - "2024-06-01T10:00:01Z"
        - ID: AttachAdminUserPolicy
          Matches:
            p_alert_context.request_username:
              'new-user':
                - "2024-06-01T11:00:01Z"
    - Name: User Created, Not Followed By Admin Policy Attachment
      ExpectedResult: false
      RuleOutputs:
        - ID: CreateUser
          Matches:
            p_alert_context.request_username:
              'new-user':
                - "2024-06-01T10:00:01Z"
    - Name: Wrong match
      ExpectedResult: false
      RuleOutputs:
        - ID: CreateUser
          Matches:
            p_alert_context.request_username:
              'new-user':
                - "2024-06-01T10:00:01Z"
        - ID: AttachAdminUserPolicy
          Matches:
            p_alert_context.request_username:
              'not-new-user':
                - "2024-06-01T11:00:01Z"

Detection logic

Stage 1: step CreateUser ordered before $AttachAdminUserPolicy

References detection AWS.IAM.CreateUser.

Stage 2: step AttachAdminUserPolicy ordered after $CreateUser

References detection AWS.IAM.AttachAdminUserPolicy.