Unusual Identity and Access Management (IAM) activity

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires one of the following data sources: AWS Audit Log OR Gcp Audit Log
Detection Modules	Cloud
ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Account Manipulation: Additional Cloud Credentials (T1098.001) Valid Accounts: Cloud Accounts (T1078.004)
Severity	Informational

Description

A cloud Identity performed an unusual IAM operation.

Attacker's Goals

Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.
Using the modified accounts, the attacker may perform additional activities in an evasive manner.

Investigative actions

Check the identity's role designation in the organization.
Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

Variations

Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Medium

Description

A cloud Internet facing instance performed an unusual IAM operation.

Attacker's Goals

Investigative actions

Check the identity's role designation in the organization.
Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

Unusual Identity and Access Management (IAM) activity

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Low

Description

A cloud non-user Identity performed an unusual IAM operation.

Attacker's Goals

Investigative actions

Check the identity's role designation in the organization.
Verify that the identity did not perform any sensitive IAM operation that it shouldn't.