Add an IAM User to a Group
An attacker may attempt to add an IAM user to a group, in order to escalate their privileges
|group||str||Group to add user to||example-group|
|user||str||IAM user to add to group||example-user|
aws iam add-user-to-group --group-name example-group --user-name example-user
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:AddUserToGroup AND eventSource:iam.amazonaws.com
--- title: Add an IAM User to a Group id: 6e467337-484c-4b11-8a83-fb92af74afed status: experimental author: Nick Jones date: 2020-06-18 description: An attacker may attempt to add an IAM user to a group, in order to escalate their privileges logsource: service: cloudtrail detection: selection_source: - eventSource: "iam.amazonaws.com" events: - eventName: "AddUserToGroup" condition: selection_source AND events level: low tags: - attack.t1089