while this can be normal behavior, it should be investigated to ensure validity. verify whether the user identity should be using the iam `attachrolepolicy` api operation to attach the `administratoraccess` policy to the target role.

T1098

Sample rules

AWS IAM AdministratorAccess Policy Attached to Role

source: elastic
technicques:
- T1098

Description

An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

| where
  event.provider == "iam.amazonaws.com"
  and event.action == "AttachRolePolicy"
  and event.outcome == "success"

// Extract policy name and role name from request parameters
| dissect aws.cloudtrail.request_parameters
    "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?roleName}=%{Esql.aws_cloudtrail_request_parameters_role_name}}"

// Filter for AdministratorAccess policy attachment
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"

// keep relevant ECS and dynamic fields
| keep
  @timestamp,
  event.provider,
  event.action,
  event.outcome,
  Esql.aws_cloudtrail_request_parameters_policy_name,
  Esql.aws_cloudtrail_request_parameters_role_name

AWS IAM User Created Access Keys For Another User

source: elastic
technicques:
- T1098

Description

An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM CreateAccessKey API operation to create new programmatic access keys for another IAM user.

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
    and event.action == "CreateAccessKey"
    and event.outcome == "success"
    and user.name != user.target.name
| keep
    @timestamp,
    cloud.region,
    event.provider,
    event.action,
    event.outcome,
    user.name,
    source.address,
    user.target.name,
    user_agent.original,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.response_elements,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.type

T1098

Sample rules

AWS IAM AdministratorAccess Policy Attached to Role

source: elastic
technicques:
- T1098

Description

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

| where
  event.provider == "iam.amazonaws.com"
  and event.action == "AttachRolePolicy"
  and event.outcome == "success"

// Extract policy name and role name from request parameters
| dissect aws.cloudtrail.request_parameters
    "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?roleName}=%{Esql.aws_cloudtrail_request_parameters_role_name}}"

// Filter for AdministratorAccess policy attachment
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"

// keep relevant ECS and dynamic fields
| keep
  @timestamp,
  event.provider,
  event.action,
  event.outcome,
  Esql.aws_cloudtrail_request_parameters_policy_name,
  Esql.aws_cloudtrail_request_parameters_role_name

AWS IAM User Created Access Keys For Another User

source: elastic
technicques:
- T1098

Description

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
    and event.action == "CreateAccessKey"
    and event.outcome == "success"
    and user.name != user.target.name
| keep
    @timestamp,
    cloud.region,
    event.provider,
    event.action,
    event.outcome,
    user.name,
    source.address,
    user.target.name,
    user_agent.original,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.response_elements,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.type

AWS IAM AdministratorAccess Policy Attached to User

source: elastic
technicques:
- T1098

Description

An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

| where
  event.provider == "iam.amazonaws.com"
  and event.action == "AttachUserPolicy"
  and event.outcome == "success"

// Extract policy name and user name from request parameters
| dissect aws.cloudtrail.request_parameters
    "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?userName}=%{Esql_priv.aws_cloudtrail_request_parameters_target_user_name}}"

// Filter for AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"

// keep ECS and parsed fields
| keep
    @timestamp,
    cloud.region,
    event.provider,
    event.action,
    event.outcome,
    Esql.aws_cloudtrail_request_parameters_policy_name,
    Esql_priv.aws_cloudtrail_request_parameters_target_user_name,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.user_identity.arn,
    related.user,
    user_agent.original,
    user.name,
    source.address

T1098

Sample rules

AWS IAM AdministratorAccess Policy Attached to Role

source: elastic
technicques:
- T1098

Description

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

| where
  event.provider == "iam.amazonaws.com"
  and event.action == "AttachRolePolicy"
  and event.outcome == "success"

// Extract policy name and role name from request parameters
| dissect aws.cloudtrail.request_parameters
    "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?roleName}=%{Esql.aws_cloudtrail_request_parameters_role_name}}"

// Filter for AdministratorAccess policy attachment
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"

// keep relevant ECS and dynamic fields
| keep
  @timestamp,
  event.provider,
  event.action,
  event.outcome,
  Esql.aws_cloudtrail_request_parameters_policy_name,
  Esql.aws_cloudtrail_request_parameters_role_name

AWS IAM User Created Access Keys For Another User

source: elastic
technicques:
- T1098

Description

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
    and event.action == "CreateAccessKey"
    and event.outcome == "success"
    and user.name != user.target.name
| keep
    @timestamp,
    cloud.region,
    event.provider,
    event.action,
    event.outcome,
    user.name,
    source.address,
    user.target.name,
    user_agent.original,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.response_elements,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.type

T1098

Sample rules

AWS IAM AdministratorAccess Policy Attached to Role

source: elastic
technicques:
- T1098

Description

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

| where
  event.provider == "iam.amazonaws.com"
  and event.action == "AttachRolePolicy"
  and event.outcome == "success"

// Extract policy name and role name from request parameters
| dissect aws.cloudtrail.request_parameters
    "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?roleName}=%{Esql.aws_cloudtrail_request_parameters_role_name}}"

// Filter for AdministratorAccess policy attachment
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"

// keep relevant ECS and dynamic fields
| keep
  @timestamp,
  event.provider,
  event.action,
  event.outcome,
  Esql.aws_cloudtrail_request_parameters_policy_name,
  Esql.aws_cloudtrail_request_parameters_role_name

AWS IAM User Created Access Keys For Another User

source: elastic
technicques:
- T1098

Description

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index
| where event.provider == "iam.amazonaws.com"
    and event.action == "CreateAccessKey"
    and event.outcome == "success"
    and user.name != user.target.name
| keep
    @timestamp,
    cloud.region,
    event.provider,
    event.action,
    event.outcome,
    user.name,
    source.address,
    user.target.name,
    user_agent.original,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.response_elements,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.type

AWS IAM AdministratorAccess Policy Attached to User

source: elastic
technicques:
- T1098

Description

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

| where
  event.provider == "iam.amazonaws.com"
  and event.action == "AttachUserPolicy"
  and event.outcome == "success"

// Extract policy name and user name from request parameters
| dissect aws.cloudtrail.request_parameters
    "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?userName}=%{Esql_priv.aws_cloudtrail_request_parameters_target_user_name}}"

// Filter for AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"

// keep ECS and parsed fields
| keep
    @timestamp,
    cloud.region,
    event.provider,
    event.action,
    event.outcome,
    Esql.aws_cloudtrail_request_parameters_policy_name,
    Esql_priv.aws_cloudtrail_request_parameters_target_user_name,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.user_identity.arn,
    related.user,
    user_agent.original,
    user.name,
    source.address

AWS IAM AdministratorAccess Policy Attached to Group

source: elastic
technicques:
- T1098

Description

An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user group.

Detection logic

from logs-aws.cloudtrail-* metadata _id, _version, _index

| where
  event.provider == "iam.amazonaws.com"
  and event.action == "AttachGroupPolicy"
  and event.outcome == "success"

// Extract policy and group details from request parameters
| dissect aws.cloudtrail.request_parameters
    "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{Esql.aws_cloudtrail_request_parameters_policy_name},%{?groupName}=%{Esql.aws_cloudtrail_request_parameters_group_name}}"

// Filter for attachment of AdministratorAccess policy
| where Esql.aws_cloudtrail_request_parameters_policy_name == "AdministratorAccess"

// keep ECS and derived fields
| keep
  @timestamp,
  event.provider,
  event.action,
  event.outcome,
  Esql.aws_cloudtrail_request_parameters_policy_name,
  Esql.aws_cloudtrail_request_parameters_group_name