AWS IAM Privilege Escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

Detection Profile

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1136.003 Cloud Account Persistence
T1580 Cloud Infrastructure Discovery Discovery
T1110 Brute Force Credential Access
T1098 Account Manipulation Persistence
T1069.003 Cloud Groups Discovery

Kill Chain Phase

  • Actions on Objectives

  • Reconnaissance

Reference

  • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

  • https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect

  • https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws

version: 1