Sample rules
AWS IAM AdministratorAccess Policy Attached to User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachUserPolicy"
and event.outcome == "success"
// Extract policy name and user name from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?userName}=%{Esql_priv.aws_cloudtrail_request_parameters_target_user_name}}"
// Filter for AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and parsed fields
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql_priv.aws_cloudtrail_request_parameters_target_user_name,
aws.cloudtrail.request_parameters,
aws.cloudtrail.user_identity.arn,
related.user,
user_agent.original,
user.name,
source.address
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM
AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an
existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachGroupPolicy"
and event.outcome == "success"
// Extract policy and group details from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?groupName}=%{Esql.aws_cloudtrail_request_parameters_group_name}}"
// Filter for attachment of AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and derived fields
| keep
@timestamp,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql.aws_cloudtrail_request_parameters_group_name
Sample rules
AWS IAM AdministratorAccess Policy Attached to User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachUserPolicy"
and event.outcome == "success"
// Extract policy name and user name from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?userName}=%{Esql_priv.aws_cloudtrail_request_parameters_target_user_name}}"
// Filter for AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and parsed fields
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql_priv.aws_cloudtrail_request_parameters_target_user_name,
aws.cloudtrail.request_parameters,
aws.cloudtrail.user_identity.arn,
related.user,
user_agent.original,
user.name,
source.address
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM
AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an
existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachGroupPolicy"
and event.outcome == "success"
// Extract policy and group details from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?groupName}=%{Esql.aws_cloudtrail_request_parameters_group_name}}"
// Filter for attachment of AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and derived fields
| keep
@timestamp,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql.aws_cloudtrail_request_parameters_group_name
AWS IAM AdministratorAccess Policy Attached to Role
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation to
attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachRolePolicy"
and event.outcome == "success"
// Extract policy name and role name from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?roleName}=%{Esql.aws_cloudtrail_request_parameters_role_name}}"
// Filter for AdministratorAccess policy attachment
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep relevant ECS and dynamic fields
| keep
@timestamp,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql.aws_cloudtrail_request_parameters_role_name
Sample rules
AWS IAM AdministratorAccess Policy Attached to User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachUserPolicy"
and event.outcome == "success"
// Extract policy name and user name from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?userName}=%{Esql_priv.aws_cloudtrail_request_parameters_target_user_name}}"
// Filter for AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and parsed fields
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql_priv.aws_cloudtrail_request_parameters_target_user_name,
aws.cloudtrail.request_parameters,
aws.cloudtrail.user_identity.arn,
related.user,
user_agent.original,
user.name,
source.address
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM
AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an
existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachGroupPolicy"
and event.outcome == "success"
// Extract policy and group details from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?groupName}=%{Esql.aws_cloudtrail_request_parameters_group_name}}"
// Filter for attachment of AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and derived fields
| keep
@timestamp,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql.aws_cloudtrail_request_parameters_group_name
Sample rules
AWS IAM AdministratorAccess Policy Attached to User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachUserPolicy"
and event.outcome == "success"
// Extract policy name and user name from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?userName}=%{Esql_priv.aws_cloudtrail_request_parameters_target_user_name}}"
// Filter for AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and parsed fields
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql_priv.aws_cloudtrail_request_parameters_target_user_name,
aws.cloudtrail.request_parameters,
aws.cloudtrail.user_identity.arn,
related.user,
user_agent.original,
user.name,
source.address
AWS IAM AdministratorAccess Policy Attached to Group
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM
AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an
existing IAM user group.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachGroupPolicy"
and event.outcome == "success"
// Extract policy and group details from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?groupName}=%{Esql.aws_cloudtrail_request_parameters_group_name}}"
// Filter for attachment of AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep ECS and derived fields
| keep
@timestamp,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql.aws_cloudtrail_request_parameters_group_name
AWS IAM AdministratorAccess Policy Attached to Role
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation to
attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
event.provider == "iam.amazonaws.com"
and event.action == "AttachRolePolicy"
and event.outcome == "success"
// Extract policy name and role name from request parameters
| dissect aws.cloudtrail.request_parameters
"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?roleName}=%{Esql.aws_cloudtrail_request_parameters_role_name}}"
// Filter for AdministratorAccess policy attachment
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"
// keep relevant ECS and dynamic fields
| keep
@timestamp,
event.provider,
event.action,
event.outcome,
Esql.aws_cloudtrail_request_parameters_policy_name,
Esql.aws_cloudtrail_request_parameters_role_name
AWS IAM User Created Access Keys For Another User
- source: elastic
- technicques:
- T1098
Description
An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a
new set of credentials for an existing user. This rule looks for use of the IAM CreateAccessKey API operation to
create new programmatic access keys for another IAM user.
Detection logic
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
and event.action == "CreateAccessKey"
and event.outcome == "success"
and user.name != user.target.name
| keep
@timestamp,
cloud.region,
event.provider,
event.action,
event.outcome,
user.name,
source.address,
user.target.name,
user_agent.original,
aws.cloudtrail.request_parameters,
aws.cloudtrail.response_elements,
aws.cloudtrail.user_identity.arn,
aws.cloudtrail.user_identity.type