/
aws_detect_attach_to_role_policy.yml
44 lines (44 loc) · 1.59 KB
/
aws_detect_attach_to_role_policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: aws detect attach to role policy
id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1
version: 1
date: '2020-07-27'
author: Rod Soto, Splunk
status: experimental
type: Hunting
description: This search provides detection of an user attaching itself to a different
role trust policy. This can be used for lateral movement and escalation of privileges.
data_source: []
search: '`aws_cloudwatchlogs_eks` attach policy| spath requestParameters.policyArn
| table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn
eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated
userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`'
how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This
search works with cloudwatch logs
known_false_positives: Attach to policy can create a lot of noise. This search can
be adjusted to provide specific values to identify cases of abuse (i.e status=failure).
The search can provide context for common users attaching themselves to higher privilege
policies or even newly created policies.
references: []
tags:
analytic_story:
- AWS Cross Account Activity
asset_type: AWS Account
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1078
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- requestParameters.policyArn
risk_score: 25
security_domain: threat