updated notes

Author: terrancedejesus

hunting/aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml

@@ -9,11 +9,11 @@ name = "AWS IAM Customer-Managed Policy Attachment for Privilege Escalation"
 language = ["ES|QL"]
 license = "Elastic License v2"
 notes = [
-"Review the `target_account_id` field to verify the AWS account in which the role is being modified, especially if this account is outside of your organization’s typical accounts.",
-"Examine `aws.cloudtrail.request_parameters` for details on the role and attached policy. Customer-managed policies granting overly permissive access, such as `AdministratorAccess`, may signal unauthorized privilege escalation.",
-"Cross-reference `event.action` values where `AttachRolePolicy` appears to further investigate attached policies that could enable lateral movement or persistence.",
-"Evaluate `aws.cloudtrail.user_identity.arn` to confirm if the actor attaching the policy has legitimate permissions for this action. Anomalous or unauthorized actors may indicate privilege abuse.",
-"Look for patterns of multiple `AttachRolePolicy` actions across roles by the same user or entity. High frequency of these actions could suggest an attempt to establish persistent control across roles within your AWS environment."
+"Review the `attached_policy_name` and `target_role_name` fields to identify the customer-managed policy and role involved in the attachment.",
+"Review the permissions of the attached policy to determine the potential impact of the privilege escalation attempt.",
+"Review all entities that `target_role_name` may be attached to as these entities may have been compromised or misused.",
+"Consider reviewing the `aws.cloudtrail.user_identity.arn` field to identify the actor responsible for the privilege escalation attempt.",
+"Review the user agent of the actor to determine the source of the privilege escalation attempt, such as an AWS CLI or SDK.",
 ]
 mitre = ['T1548.005']
 query = [