Sample rules
AWS IAM AdministratorAccess Policy Attached to Role
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of
the IAM AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy
to an existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name
Sample rules
AWS IAM AdministratorAccess Policy Attached to Role
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of
the IAM AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy
to an existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name
AWS IAM User Created Access Keys For Another User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
creating a new set of credentials for an existing user. This rule looks for use of the IAM CreateAccessKey API operation
to create new programmatic access keys for another IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
and event.action == "CreateAccessKey"
and event.outcome == "success"
and user.name != user.target.name
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
user.name,
source.address,
user.target.name,
user_agent.original,
aws.cloudtrail.request_parameters,
aws.cloudtrail.response_elements,
aws.cloudtrail.user_identity.arn,
aws.cloudtrail.user_identity.type
Sample rules
AWS IAM AdministratorAccess Policy Attached to Role
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of
the IAM AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy
to an existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name
Sample rules
AWS IAM AdministratorAccess Policy Attached to Role
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of
the IAM AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy
to an existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name
AWS IAM User Created Access Keys For Another User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
creating a new set of credentials for an existing user. This rule looks for use of the IAM CreateAccessKey API operation
to create new programmatic access keys for another IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
and event.action == "CreateAccessKey"
and event.outcome == "success"
and user.name != user.target.name
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
user.name,
source.address,
user.target.name,
user_agent.original,
aws.cloudtrail.request_parameters,
aws.cloudtrail.response_elements,
aws.cloudtrail.user_identity.arn,
aws.cloudtrail.user_identity.type
AWS IAM AdministratorAccess Policy Attached to User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by
attaching additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}"
| where policyName == "AdministratorAccess"
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
policyName,
target.userName,
aws.cloudtrail.request_parameters,
aws.cloudtrail.user_identity.arn,
related.user,
user_agent.original,
user.name,
source.address