Analytics Story: AWS IAM Privilege Escalation

Description

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

Why it matters

Amazon Web Services provides a neat feature called Identity and Access Management (IAM) that enables organizations to manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them which governs and sets permissions to allow a user to access specific restrictions. However, if these IAM policies are misconfigured and have specific combinations of weak permissions; it can allow attackers to escalate their privileges and further compromise the organization. Rhino Security Labs have published comprehensive blogs detailing various AWS Escalation methods. By using this as an inspiration, Splunks research team wants to highlight how these attack vectors look in AWS Cloudtrail logs and provide you with detection queries to uncover these potentially malicious events via this Analytic Story.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ASL AWS IAM Delete Policy Account Manipulation Hunting
ASL AWS IAM Failure Group Deletion Account Manipulation Anomaly
ASL AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation, Permission Groups Discovery Hunting
AWS Create Policy Version to allow all resources Cloud Accounts, Valid Accounts TTP
AWS CreateAccessKey Cloud Account, Create Account Hunting
AWS CreateLoginProfile Cloud Account, Create Account TTP
AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force TTP
AWS IAM Delete Policy Account Manipulation Hunting
AWS IAM Failure Group Deletion Account Manipulation Anomaly
AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation, Permission Groups Discovery Hunting
AWS Password Policy Changes Password Policy Discovery Hunting
AWS SetDefaultPolicyVersion Cloud Accounts, Valid Accounts TTP
AWS UpdateLoginProfile Cloud Account, Create Account TTP
ASL AWS CreateAccessKey Valid Accounts Hunting
ASL AWS Password Policy Changes Password Policy Discovery Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail ConsoleLogin AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreateAccessKey AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreateLoginProfile AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail CreatePolicyVersion AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteGroup AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeletePolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail GetAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail SetDefaultPolicyVersion AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail UpdateAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail UpdateLoginProfile AWS icon AWS aws:cloudtrail aws_cloudtrail

References


Source: GitHub | Version: 2