EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

AWS SAML Provider Deletion Activity

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

MITRE ATT&CK

T1078.004T1531
privilege-escalationdefense-evasioninitial-accesspersistenceimpact

Detection Query

selection:
  eventSource: iam.amazonaws.com
  eventName: DeleteSAMLProvider
  status: success
condition: selection

Author

Ivan Saakov

Created

2024-12-19

Data Sources

awscloudtrail

Platforms

aws

References

Tags

attack.t1078.004attack.privilege-escalationattack.defense-evasionattack.initial-accessattack.persistenceattack.t1531attack.impact
Raw Content
title: AWS SAML Provider Deletion Activity
id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
status: experimental
description: |
    Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
    An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
references:
    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
author: Ivan Saakov
date: 2024-12-19
tags:
    - attack.t1078.004
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.initial-access
    - attack.persistence
    - attack.t1531
    - attack.impact
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'DeleteSAMLProvider'
        status: 'success'
    condition: selection
falsepositives:
    - Automated processes using tools like Terraform may trigger this alert.
    - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
    - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
level: medium