/
aws_setdefaultpolicyversion.yml
67 lines (67 loc) · 2.44 KB
/
aws_setdefaultpolicyversion.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: AWS SetDefaultPolicyVersion
id: 2a9b80d3-6340-4345-11ad-212bf3d0dac4
version: 1
date: '2021-03-02'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: This search looks for AWS CloudTrail events where a user has set a default
policy versions. Attackers have been know to use this technique for Privilege Escalation
in case the previous versions of the policy had permissions to access more resources
than the current version of the policy
data_source:
- AWS CloudTrail SetDefaultPolicyVersion
search: '`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn)
as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id
errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`'
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: While this search has no known false positives, it is possible
that an AWS admin has legitimately set a default policy to allow a user to access
all resources. That said, AWS strongly advises against granting full control to
all AWS resources
references:
- https://bishopfox.com/blog/privilege-escalation-in-aws
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
tags:
analytic_story:
- AWS IAM Privilege Escalation
asset_type: AWS Account
confidence: 60
impact: 50
message: From IP address $src$, user $user_arn$ has trigged an
event $eventName$ for updating the the default policy version
mitre_attack_id:
- T1078.004
- T1078
observable:
- name: src
type: IP Address
role:
- Attacker
- name: user_arn
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- userAgent
- errorCode
- requestParameters.userName
- eventSource
risk_score: 30
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true