toml-lint

Author: imays11

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml

@@ -7,11 +7,16 @@ updated_date = "2025/10/13"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user group.
+An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
+additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM
+AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing
+IAM user group.
 """
 false_positives = [
     """
-    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group.
+    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
+    should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user
+    group.
     """,
 ]
 from = "now-6m"
@@ -87,7 +92,6 @@ Adversaries can exploit `iam:AttachGroupPolicy` permissions to escalate privileg
 - **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/): for containment, analysis, and recovery guidance.
 - **AWS Documentation:** [AdministratorAccess Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator).
 """
-
 references = [
     "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html",
     "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html",
@@ -117,23 +121,6 @@ iam where event.dataset == "aws.cloudtrail"
    and stringContains(aws.cloudtrail.request_parameters, "policyArn=arn:aws:iam::aws:policy/AdministratorAccess")
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "user.name",
-    "user_agent.original",
-    "source.ip",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.access_key_id",
-    "event.action",
-    "group.name",
-    "event.outcome",
-    "cloud.account.id",
-    "cloud.region",
-    "aws.cloudtrail.request_parameters"
-]
-
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -170,3 +157,20 @@ id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "group.name",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml

@@ -7,11 +7,15 @@ updated_date = "2025/10/13"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
+An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
+additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation to
+attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
 """
 false_positives = [
     """
-    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role.
+    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
+    should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target
+    role.
     """,
 ]
 from = "now-6m"
@@ -86,7 +90,6 @@ This rule detects `AttachRolePolicy` events where the `policyName` is `Administr
 - **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/): for containment, analysis, and recovery guidance.
 - **AWS Documentation:** [AdministratorAccess Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator).  
 """
-
 references = [
     "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html",
     "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html",
@@ -116,22 +119,6 @@ iam where event.dataset == "aws.cloudtrail"
    and stringContains(aws.cloudtrail.request_parameters, "policyArn=arn:aws:iam::aws:policy/AdministratorAccess")
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "user.name",
-    "user_agent.original",
-    "source.ip",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.access_key_id",
-    "event.action",
-    "event.outcome",
-    "cloud.account.id",
-    "cloud.region",
-    "aws.cloudtrail.request_parameters"
-]
-
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -168,3 +155,19 @@ id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml

@@ -7,11 +7,15 @@ updated_date = "2025/10/13"
 [rule]
 author = ["Elastic"]
 description = """
-An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
+An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
+additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
+to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
 """
 false_positives = [
     """
-    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user.
+    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
+    should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target
+    user.
     """,
 ]
 from = "now-6m"
@@ -92,7 +96,6 @@ This rule detects `AttachUserPolicy` events where the attached policy name is `A
 - **AWS Documentation:** [AdministratorAccess Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator).  
 - **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).  
 """
-
 references = [
     "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html",
     "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html",
@@ -122,22 +125,6 @@ iam where event.dataset == "aws.cloudtrail"
    and stringContains(aws.cloudtrail.request_parameters, "policyArn=arn:aws:iam::aws:policy/AdministratorAccess")
 '''
 
-[rule.investigation_fields]
-field_names = [
-    "@timestamp",
-    "user.name",
-    "user_agent.original",
-    "source.ip",
-    "aws.cloudtrail.user_identity.arn",
-    "aws.cloudtrail.user_identity.type",
-    "aws.cloudtrail.user_identity.access_key_id",
-    "event.action",
-    "user.target.name",
-    "event.outcome",
-    "cloud.account.id",
-    "cloud.region",
-    "aws.cloudtrail.request_parameters"
-]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -174,3 +161,20 @@ id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "user.target.name",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+