Techniques
Sample rules
aws detect attach to role policy
- source: splunk
- technicques:
- T1078
Description
This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges.
Detection logic
`aws_cloudwatchlogs_eks` attach policy
| spath requestParameters.policyArn
| table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate
| `aws_detect_attach_to_role_policy_filter`