← Back to Explore
splunk_escuHunting
AWS IAM Successful Group Deletion
The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.
Detection Query
`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com)
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_successful_group_deletion_filter`Author
Michael Haag, Splunk
Created
2026-02-25
Data Sources
AWS CloudTrail DeleteGroup
References
Tags
AWS IAM Privilege Escalation
Raw Content
name: AWS IAM Successful Group Deletion
id: e776d06c-9267-11eb-819b-acde48001122
version: 9
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Hunting
description: The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.
data_source:
- AWS CloudTrail DeleteGroup
search: |-
`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com)
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_successful_group_deletion_filter`
how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs.
known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).
references:
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html
tags:
analytic_story:
- AWS IAM Privilege Escalation
asset_type: AWS Account
mitre_attack_id:
- T1069.003
- T1098
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: access
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail