From 9bd96a260d1872bf284565370de18001a3ee0fd6 Mon Sep 17 00:00:00 2001 From: bryans3c Date: Thu, 18 Jun 2026 13:13:33 +0200 Subject: [PATCH 1/8] [New Rule] AWS IAM Inline Policy Added to a Group --- ...tion_iam_inline_policy_added_to_group.toml | 131 ++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml new file mode 100644 index 00000000000..3b1a50c836a --- /dev/null +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -0,0 +1,131 @@ +[metadata] +creation_date = "2026/06/18" +integration = ["aws"] +maturity = "production" +updated_date = "2026/06/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies an inline policy added to an IAM group via PutGroupPolicy. An inline policy attached to a group grants its +permissions to every current and future member of that group. Adversaries can abuse this to escalate privileges (grant +elevated permissions to a group they belong to, or will add themselves to) and to establish persistence through a +durable, membership-based grant that is easy to overlook. Group inline policies are uncommon compared to managed-policy +attachments, so their creation by an unexpected principal warrants review. +""" +false_positives = [ + """ + Identity and platform teams and infrastructure-as-code pipelines occasionally manage group inline policies as part + of normal access governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted group, and the + policy document against approved change records. Known administration roles and deployment automation can be + excluded after validation. + """, +] +from = "now-6m" +index = ["logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS IAM Inline Policy Added to a Group" +note = """## Triage and analysis + +### Investigating AWS IAM Inline Policy Added to a Group + +`PutGroupPolicy` embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members +of the group, it is an effective way to broadly grant permissions — and, for an adversary, to escalate privileges or +persist while drawing less attention than attaching a well-known managed policy such as `AdministratorAccess`. Group +inline policies are relatively rare, which makes their creation a useful signal. + +#### Possible investigation steps + +- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and + `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to + determine how the change was made. +- Inspect `aws.cloudtrail.request_parameters` for the targeted `groupName`, the `policyName`, and the + `policyDocument` to assess what permissions were granted (look for broad `Action`/`Resource` of `*`, IAM, or + data-access permissions). +- Enumerate the group's current members to understand who immediately gains the new permissions, and whether the actor + is or could become a member. +- Confirm whether the change aligns with an approved access request, onboarding, or deployment. +- Correlate with recent activity by the same principal, such as group creation, adding users to the group, or other IAM + modifications that may form an escalation chain. + +### False positive analysis + +- Approved access governance and infrastructure-as-code may add group inline policies. Confirm the change is expected + and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. + +### Response and remediation + +- If the change is unauthorized, remove the inline policy from the group (`DeleteGroupPolicy`) and review which members + used the granted permissions while it was in place. +- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:PutGroupPolicy` to a + small set of trusted administrators. + +### Additional information + +- [IAM identity-based policies (inline)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) +- [PutGroupPolicy API](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html) +""" +references = [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html", +] +risk_score = 47 +rule_id = "87f8141e-4275-4d49-9e76-d215b4614a0b" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: "aws.cloudtrail" + and event.provider: "iam.amazonaws.com" + and event.action: "PutGroupPolicy" + and event.outcome: "success" + and not aws.cloudtrail.user_identity.type: "AWSService" + and not aws.cloudtrail.user_identity.arn: arn*/terraform + and not source.as.organization.name: (Amazon* or Google*) + and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", +] + From 0b8be4079a23a7fbe1b99b0240b4ef2c2a1746ae Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 18 Jun 2026 15:42:53 +0200 Subject: [PATCH 2/8] Update privilege_escalation_iam_inline_policy_added_to_group.toml --- ...tion_iam_inline_policy_added_to_group.toml | 28 ++++++------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml index 3b1a50c836a..76189335f5e 100644 --- a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -30,36 +30,24 @@ note = """## Triage and analysis ### Investigating AWS IAM Inline Policy Added to a Group -`PutGroupPolicy` embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members -of the group, it is an effective way to broadly grant permissions — and, for an adversary, to escalate privileges or -persist while drawing less attention than attaching a well-known managed policy such as `AdministratorAccess`. Group -inline policies are relatively rare, which makes their creation a useful signal. +`PutGroupPolicy` embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members of the group, it is an effective way to broadly grant permissions — and, for an adversary, to escalate privileges or persist while drawing less attention than attaching a well-known managed policy such as `AdministratorAccess`. Group inline policies are relatively rare, which makes their creation a useful signal. #### Possible investigation steps -- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and - `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to - determine how the change was made. -- Inspect `aws.cloudtrail.request_parameters` for the targeted `groupName`, the `policyName`, and the - `policyDocument` to assess what permissions were granted (look for broad `Action`/`Resource` of `*`, IAM, or - data-access permissions). -- Enumerate the group's current members to understand who immediately gains the new permissions, and whether the actor - is or could become a member. +- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made. +- Inspect `aws.cloudtrail.request_parameters` for the targeted `groupName`, the `policyName`, and the `policyDocument` to assess what permissions were granted (look for broad `Action`/`Resource` of `*`, IAM, or data-access permissions). +- Enumerate the group's current members to understand who immediately gains the new permissions, and whether the actor is or could become a member. - Confirm whether the change aligns with an approved access request, onboarding, or deployment. -- Correlate with recent activity by the same principal, such as group creation, adding users to the group, or other IAM - modifications that may form an escalation chain. +- Correlate with recent activity by the same principal, such as group creation, adding users to the group, or other IAM modifications that may form an escalation chain. ### False positive analysis -- Approved access governance and infrastructure-as-code may add group inline policies. Confirm the change is expected - and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. +- Approved access governance and infrastructure-as-code may add group inline policies. Confirm the change is expected and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. ### Response and remediation -- If the change is unauthorized, remove the inline policy from the group (`DeleteGroupPolicy`) and review which members - used the granted permissions while it was in place. -- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:PutGroupPolicy` to a - small set of trusted administrators. +- If the change is unauthorized, remove the inline policy from the group (`DeleteGroupPolicy`) and review which members used the granted permissions while it was in place. +- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:PutGroupPolicy` to a small set of trusted administrators. ### Additional information From 212d8155831b5fdd53c3615a2d95f666d83e20b7 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:11:04 +0200 Subject: [PATCH 3/8] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../privilege_escalation_iam_inline_policy_added_to_group.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml index 76189335f5e..539fa1b5c4e 100644 --- a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -81,7 +81,7 @@ event.dataset: "aws.cloudtrail" and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" and not aws.cloudtrail.user_identity.arn: arn*/terraform - and not source.as.organization.name: (Amazon* or Google*) + and not source.as.organization.name: (Amazon* or AMAZON* or Google*) and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") ''' From 0881dfe5d5d40d6402134706bfb25be0ef8dbe68 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:11:14 +0200 Subject: [PATCH 4/8] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../privilege_escalation_iam_inline_policy_added_to_group.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml index 539fa1b5c4e..7dd9b2d95a0 100644 --- a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -69,6 +69,7 @@ tags = [ "Data Source: AWS IAM", "Use Case: Threat Detection", "Tactic: Privilege Escalation", + "Tactic: Persistence", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" From d449827a245a0cac23351e456ec71216f627afdd Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:11:32 +0200 Subject: [PATCH 5/8] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ...calation_iam_inline_policy_added_to_group.toml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml index 7dd9b2d95a0..c5f9293115b 100644 --- a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -89,17 +89,30 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [rule.investigation_fields] field_names = [ "@timestamp", From 1aa69a2514acc2aaa16dbb80541f790216329d43 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Mon, 22 Jun 2026 09:57:23 +0200 Subject: [PATCH 6/8] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ...rivilege_escalation_iam_inline_policy_added_to_group.toml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml index c5f9293115b..89e9c3b4e12 100644 --- a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -107,7 +107,10 @@ framework = "MITRE ATT&CK" id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" From 74f0a664669b88848fc07a718f96de3a4be45a9f Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 26 Jun 2026 15:09:39 +0200 Subject: [PATCH 7/8] Apply suggestions from code review Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...ivilege_escalation_iam_inline_policy_added_to_group.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml index 89e9c3b4e12..bff507f6e44 100644 --- a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -32,7 +32,7 @@ note = """## Triage and analysis `PutGroupPolicy` embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members of the group, it is an effective way to broadly grant permissions — and, for an adversary, to escalate privileges or persist while drawing less attention than attaching a well-known managed policy such as `AdministratorAccess`. Group inline policies are relatively rare, which makes their creation a useful signal. -#### Possible investigation steps +### Possible investigation steps - Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made. - Inspect `aws.cloudtrail.request_parameters` for the targeted `groupName`, the `policyName`, and the `policyDocument` to assess what permissions were granted (look for broad `Action`/`Resource` of `*`, IAM, or data-access permissions). @@ -76,12 +76,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "PutGroupPolicy" and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" - and not aws.cloudtrail.user_identity.arn: arn*/terraform + and not aws.cloudtrail.user_identity.arn: *terraform* and not source.as.organization.name: (Amazon* or AMAZON* or Google*) and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") ''' From 46bf6fc314e18449f86274ffbf812562babc3cbe Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 26 Jun 2026 15:10:05 +0200 Subject: [PATCH 8/8] Refine IAM policy conditions for privilege escalation --- .../privilege_escalation_iam_inline_policy_added_to_group.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml index bff507f6e44..fe4926ae6b1 100644 --- a/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml @@ -81,7 +81,8 @@ data_stream.dataset: "aws.cloudtrail" and event.action: "PutGroupPolicy" and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" - and not aws.cloudtrail.user_identity.arn: *terraform* + and not user_agent.original: (*terraform* or *pulumi* or *ansible*) + and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*) and not source.as.organization.name: (Amazon* or AMAZON* or Google*) and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") '''