AWS IAM group with a known malicious name
Description
AlphaSOC detected the creation of an AWS IAM group with a name matching patterns associated with known threat actor tools and campaigns. Threat actors who gain sufficient access to an AWS environment may create IAM groups with names used in publicly documented attack toolkits or persistence frameworks.
Impact
Users added to the IAM groups can inherit attached policies, potentially granting them elevated permissions. The group may be used to maintain persistent access even after initial credentials are rotated.
Severity
| Severity | Condition |
|---|---|
Medium | IAM group created with a known malicious name pattern |
Investigation and Remediation
Review AWS CloudTrail logs to determine who created the IAM group and when. Inspect the group's attached policies and current membership. Verify whether the creation was authorized and assess whether any users have been added. If malicious, delete the group, remove any policies it was associated with, and investigate the account that created it for additional indicators of compromise. Rotate credentials for any affected users.