⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-07-27
  • Author: Rod Soto, Splunk
  • ID: 5f04081e-ddee-4353-afe4-504f288de9ad

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* 
| table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate 
| `aws_detect_role_creation_filter`

Associated Analytic Story

How To Implement

You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs

Required field

  • _time
  • event_name
  • action
  • userIdentity.type
  • requestParameters.description
  • sourceIPAddress
  • userIdentity.principalId
  • userIdentity.arn
  • action
  • event_name
  • awsRegion
  • http_user_agent
  • mfa_auth
  • msg
  • requestParameters.roleName
  • requestParameters.description
  • responseElements.role.arn
  • responseElements.role.createDate

Kill Chain Phase

  • Lateral Movement

Known False Positives

CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1