|
| 1 | +# AWS IAM Customer-Managed Policy Attachment for Privilege Escalation |
| 2 | + |
| 3 | +--- |
| 4 | + |
| 5 | +## Metadata |
| 6 | + |
| 7 | +- **Author:** Elastic |
| 8 | +- **Description:** This hunting query identifies instances where customer-managed IAM policies are attached to existing roles, potentially indicating a privilege escalation attempt. By detecting unexpected actors attaching customer-managed policies with elevated permissions to roles, this query helps identify potential abuse or misuse within AWS. Adversaries may attach these policies to gain unauthorized permissions or enable lateral movement and persistence within the environment. |
| 9 | + |
| 10 | +- **UUID:** `418baaf2-9ae1-11ef-be63-f661ea17fbcd` |
| 11 | +- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail) |
| 12 | +- **Language:** `[ES|QL]` |
| 13 | +- **Source File:** [AWS IAM Customer-Managed Policy Attachment for Privilege Escalation](../queries/iam_customer_managed_policies_attached_to_existing_roles.toml) |
| 14 | + |
| 15 | +## Query |
| 16 | + |
| 17 | +```sql |
| 18 | +from logs-aws.cloudtrail* |
| 19 | +| where |
| 20 | + event.dataset == "aws.cloudtrail" |
| 21 | + and event.provider == "iam.amazonaws.com" |
| 22 | + and event.action == "AttachRolePolicy" |
| 23 | + and event.outcome == "success" |
| 24 | +| dissect aws.cloudtrail.request_parameters "{%{}::%{owner}:%{?policy_key}/%{attached_policy_name}, %{?role_name_key}=%{target_role_name}}" |
| 25 | +| where owner != "aws" |
| 26 | +| stats |
| 27 | + actor_attaching_role_count = count(*) by aws.cloudtrail.user_identity.arn, attached_policy_name, target_role_name |
| 28 | +``` |
| 29 | + |
| 30 | +## Notes |
| 31 | + |
| 32 | +- Review the `target_account_id` field to verify the AWS account in which the role is being modified, especially if this account is outside of your organization’s typical accounts. |
| 33 | +- Examine `aws.cloudtrail.request_parameters` for details on the role and attached policy. Customer-managed policies granting overly permissive access, such as `AdministratorAccess`, may signal unauthorized privilege escalation. |
| 34 | +- Cross-reference `event.action` values where `AttachRolePolicy` appears to further investigate attached policies that could enable lateral movement or persistence. |
| 35 | +- Evaluate `aws.cloudtrail.user_identity.arn` to confirm if the actor attaching the policy has legitimate permissions for this action. Anomalous or unauthorized actors may indicate privilege abuse. |
| 36 | +- Look for patterns of multiple `AttachRolePolicy` actions across roles by the same user or entity. High frequency of these actions could suggest an attempt to establish persistent control across roles within your AWS environment. |
| 37 | + |
| 38 | +## MITRE ATT&CK Techniques |
| 39 | + |
| 40 | +- [T1548.005](https://attack.mitre.org/techniques/T1548/005) |
| 41 | + |
| 42 | +## License |
| 43 | + |
| 44 | +- `Elastic License v2` |
0 commit comments