/
aws_detect_role_creation.yml
62 lines (62 loc) · 1.93 KB
/
aws_detect_role_creation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: aws detect role creation
id: 5f04081e-ddee-4353-afe4-504f288de9ad
version: 1
date: '2020-07-27'
author: Rod Soto, Splunk
status: experimental
type: Hunting
description: This search provides detection of role creation by IAM users. Role creation
is an event by itself if user is creating a new role with trust policies different
than the available in AWS and it can be used for lateral movement and escalation
of privileges.
data_source: []
search: '`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole
requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId
userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName
requestParameters.description responseElements.role.arn responseElements.role.createDate
| `aws_detect_role_creation_filter`'
how_to_implement: You must install splunk AWS add-on and Splunk App for AWS. This
search works with cloudwatch logs
known_false_positives: CreateRole is not very common in common users. This search
can be adjusted to provide specific values to identify cases of abuse. In general
AWS provides plenty of trust policies that fit most use cases.
references: []
tags:
analytic_story:
- AWS Cross Account Activity
asset_type: AWS Account
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1078
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- event_name
- action
- userIdentity.type
- requestParameters.description
- sourceIPAddress
- userIdentity.principalId
- userIdentity.arn
- action
- event_name
- awsRegion
- http_user_agent
- mfa_auth
- msg
- requestParameters.roleName
- requestParameters.description
- responseElements.role.arn
- responseElements.role.createDate
risk_score: 25
security_domain: threat