Skip to content

Commit

Permalink
[New Rule] Adding Coverage for `AWS IAM Customer-Managed Policy Attac…
Browse files Browse the repository at this point in the history
…hed to Role by Rare User` (#4245)

* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'

* adding investigation guide tag

* adds new hunting query

* updated notes

* changed name

* adjusting pyproject.toml version

(cherry picked from commit a92fdc1)
  • Loading branch information
terrancedejesus authored and github-actions[bot] committed Nov 6, 2024
1 parent ebb9b45 commit 2e61fbe
Show file tree
Hide file tree
Showing 7 changed files with 211 additions and 1 deletion.
2 changes: 2 additions & 0 deletions detection_rules/etc/non-ecs-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,8 @@
"aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
"aws.cloudtrail.flattened.request_parameters.fromPort": "keyword",
"aws.cloudtrail.flattened.request_parameters.roleArn": "keyword",
"aws.cloudtrail.flattened.request_parameters.roleName": "keyword",
"aws.cloudtrail.flattened.request_paramters.policyArn": "keyword",
"aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword"
},
"logs-azure.signinlogs-*": {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# AWS IAM Customer-Managed Policy Attachment for Privilege Escalation

---

## Metadata

- **Author:** Elastic
- **Description:** This hunting query identifies instances where customer-managed IAM policies are attached to existing roles, potentially indicating a privilege escalation attempt. By detecting unexpected actors attaching customer-managed policies with elevated permissions to roles, this query helps identify potential abuse or misuse within AWS. Adversaries may attach these policies to gain unauthorized permissions or enable lateral movement and persistence within the environment.

- **UUID:** `418baaf2-9ae1-11ef-be63-f661ea17fbcd`
- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail)
- **Language:** `[ES|QL]`
- **Source File:** [AWS IAM Customer-Managed Policy Attachment for Privilege Escalation](../queries/iam_customer_managed_policies_attached_to_existing_roles.toml)

## Query

```sql
from logs-aws.cloudtrail*
| where
event.dataset == "aws.cloudtrail"
and event.provider == "iam.amazonaws.com"
and event.action == "AttachRolePolicy"
and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{}::%{owner}:%{?policy_key}/%{attached_policy_name}, %{?role_name_key}=%{target_role_name}}"
| where owner != "aws"
| stats
actor_attaching_role_count = count(*) by aws.cloudtrail.user_identity.arn, attached_policy_name, target_role_name
```

## Notes

- Review the `target_account_id` field to verify the AWS account in which the role is being modified, especially if this account is outside of your organization’s typical accounts.
- Examine `aws.cloudtrail.request_parameters` for details on the role and attached policy. Customer-managed policies granting overly permissive access, such as `AdministratorAccess`, may signal unauthorized privilege escalation.
- Cross-reference `event.action` values where `AttachRolePolicy` appears to further investigate attached policies that could enable lateral movement or persistence.
- Evaluate `aws.cloudtrail.user_identity.arn` to confirm if the actor attaching the policy has legitimate permissions for this action. Anomalous or unauthorized actors may indicate privilege abuse.
- Look for patterns of multiple `AttachRolePolicy` actions across roles by the same user or entity. High frequency of these actions could suggest an attempt to establish persistent control across roles within your AWS environment.

## MITRE ATT&CK Techniques

- [T1548.005](https://attack.mitre.org/techniques/T1548/005)

## License

- `Elastic License v2`
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
[hunt]
author = "Elastic"
description = """
This hunting query identifies instances where customer-managed IAM policies are attached to existing roles, potentially indicating a privilege escalation attempt. By detecting unexpected actors attaching customer-managed policies with elevated permissions to roles, this query helps identify potential abuse or misuse within AWS. Adversaries may attach these policies to gain unauthorized permissions or enable lateral movement and persistence within the environment.
"""
integration = ["aws.cloudtrail"]
uuid = "418baaf2-9ae1-11ef-be63-f661ea17fbcd"
name = "AWS IAM Customer-Managed Policy Attachment to Existing Roles"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"Review the `attached_policy_name` and `target_role_name` fields to identify the customer-managed policy and role involved in the attachment.",
"Review the permissions of the attached policy to determine the potential impact of the privilege escalation attempt.",
"Review all entities that `target_role_name` may be attached to as these entities may have been compromised or misused.",
"Consider reviewing the `aws.cloudtrail.user_identity.arn` field to identify the actor responsible for the privilege escalation attempt.",
"Review the user agent of the actor to determine the source of the privilege escalation attempt, such as an AWS CLI or SDK.",
]
mitre = ['T1548.005']
query = [
'''
from logs-aws.cloudtrail*
| where
event.dataset == "aws.cloudtrail"
and event.provider == "iam.amazonaws.com"
and event.action == "AttachRolePolicy"
and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{}::%{owner}:%{?policy_key}/%{attached_policy_name}, %{?role_name_key}=%{target_role_name}}"
| where owner != "aws"
| stats
actor_attaching_role_count = count(*) by aws.cloudtrail.user_identity.arn, attached_policy_name, target_role_name
'''
]
1 change: 1 addition & 0 deletions hunting/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ Here are the queries currently available:


## aws
- [AWS IAM Customer-Managed Policy Attachment for Privilege Escalation](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL)
- [EC2 Modify Instance Attribute User Data](./aws/docs/ec2_modify_instance_attribute_user_data.md) (ES|QL)
- [EC2 Suspicious Get User Password Request](./aws/docs/ec2_suspicious_get_user_password_request.md) (ES|QL)
- [High EC2 Instance Deployment Count Attempts by Single User or Role](./aws/docs/ec2_high_instance_deployment_count_attempts.md) (ES|QL)
Expand Down
5 changes: 5 additions & 0 deletions hunting/index.yml
Original file line number Diff line number Diff line change
Expand Up @@ -364,6 +364,11 @@ aws:
path: ./aws/queries/sts_suspicious_federated_temporary_credential_request.toml
mitre:
- T1550.001
418baaf2-9ae1-11ef-be63-f661ea17fbcd:
name: AWS IAM Customer-Managed Policy Attachment for Privilege Escalation
path: ./aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml
mitre:
- T1548.005
windows:
44e6adc6-e183-4bfa-b06d-db41669641fa:
name: Rundll32 Execution Aggregated by Command Line
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "0.2.0"
version = "0.2.1"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
[metadata]
creation_date = "2024/11/04"
integration = ["aws"]
maturity = "production"
updated_date = "2024/11/04"

[rule]
author = ["Elastic"]
description = """
Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or
unauthorized user. Customer-managed policies are policies created and controlled within an AWS account, granting
specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging
cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized
access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the
AWS environment. This is a [New
Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that uses the
`aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.flattened.request_parameters.roleName` fields to check if the
combination of the actor ARN and target role name has not been seen in the last 14 days.
"""
false_positives = [
"""
Legitimate IAM administrators may attach customer-managed policies to roles for various reasons, such as granting
temporary permissions or updating existing policies. Ensure that the user attaching the policy is authorized to do
so and that the action is expected.
""",
]
from = "now-9m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Customer-Managed Policy Attached to Role by Rare User"
note = """## Triage and Analysis
### Investigating AWS IAM Customer-Managed Policy Attachment to Role by Unusual User
This rule detects when a customer-managed IAM policy is attached to a role by an unusual or unauthorized user. This activity may indicate a potential privilege escalation attempt within the AWS environment. Adversaries could attach policies to roles to expand permissions, thereby increasing their capabilities and achieving elevated access.
#### Possible Investigation Steps
- **Identify the Initiating User and Target Role**:
- **User Identity**: Examine the `aws.cloudtrail.user_identity.arn` field to determine the user who initiated the policy attachment. Confirm if this user typically has permissions to modify IAM roles and if their activity is consistent with their usual responsibilities.
- **Target Role**: Review `aws.cloudtrail.flattened.request_parameters.roleName` to identify the role to which the policy was attached. Assess whether modifying this role is expected for this user or if this action is unusual in your environment.
- **Analyze the Attached Policy**:
- **Policy ARN**: Inspect the `aws.cloudtrail.flattened.request_parameters.policyArn` field to identify the specific customer-managed policy attached to the role. Evaluate if this policy grants sensitive permissions, especially permissions that could enable privileged actions or data access.
- **Policy Permissions**: Examine the policy content to determine the scope of permissions granted. Policies enabling actions like `s3:*`, `ec2:*`, or `iam:*` could be leveraged for broader access, persistence, or lateral movement.
- **Review Source and User Agent Details**:
- **Source IP and Location**: Analyze the `source.address` and `source.geo` fields to confirm the IP address and geographic location where the policy attachment originated. Verify if this matches expected locations for the initiating user.
- **User Agent Analysis**: Examine `user_agent.original` to determine if AWS CLI, SDK, or other tooling was used to perform this action. Tool identifiers like `aws-cli` or `boto3` may indicate automation, while others may suggest interactive sessions.
- **Evaluate Anomalous Behavior Patterns**:
- **User’s Historical Activity**: Check if the initiating user has a history of attaching policies to roles. An unusual pattern in policy attachments could indicate suspicious behavior, especially if the user lacks authorization.
- **Role Modification History**: Investigate if the targeted role is frequently modified by this or other users. Repeated, unauthorized modifications to a role could signal an attempt to maintain elevated access.
- **Correlate with Related CloudTrail Events**:
- **Other IAM or CloudTrail Activities**: Look for recent actions associated with the same user or role by reviewing `event.action` by `event.provider` to identify which AWS services were accessed. This may provide context on the user’s intent or additional actions taken.
- **Broader Suspicious Patterns**: Identify if similar anomalous events have recently occurred, potentially suggesting a coordinated or escalating attack pattern within the AWS account.
### False Positive Analysis
- **Authorized Administrative Actions**: IAM administrators may legitimately attach policies to roles as part of routine role management. Verify if the user is authorized and if the activity aligns with expected administrative tasks.
- **Role-Specific Modifications**: Roles that frequently undergo policy updates may trigger this rule during standard operations. Consider monitoring for patterns or establishing known exceptions for specific users or roles where appropriate.
### Response and Remediation
- **Immediate Access Review**: If the policy attachment is unauthorized, consider detaching the policy and reviewing the permissions granted to the initiating user.
- **Restrict Role Modification Permissions**: Limit which users or roles can attach policies to critical IAM roles. Apply least privilege principles to reduce the risk of unauthorized policy changes.
- **Enhance Monitoring and Alerts**: Enable real-time alerts and monitoring on IAM policy modifications to detect similar actions promptly.
- **Regular Policy Audits**: Conduct periodic audits of IAM policies and role permissions to ensure that unauthorized changes are quickly identified and addressed.
### Additional Information
For more information on managing IAM policies and roles in AWS environments, refer to the [AWS IAM Documentation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html) and AWS security best practices.
"""
references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html"]
risk_score = 21
rule_id = "f6d07a70-9ad0-11ef-954f-f661ea17fbcd"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS IAM",
"Resources: Investigation Guide",
"Use Case: Identity and Access Audit",
"Tactic: Privilege Escalation",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset: "aws.cloudtrail"
and event.provider: "iam.amazonaws.com"
and event.action: "AttachRolePolicy"
and event.outcome: "success"
and not aws.cloudtrail.flattened.request_paramters.policyArn: arn\:aws\:iam\:\:aws\:policy*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.005"
name = "Temporary Elevated Cloud Access"
reference = "https://attack.mitre.org/techniques/T1548/005/"



[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[rule.new_terms]
field = "new_terms_fields"
value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.flattened.request_parameters.roleName"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"


0 comments on commit 2e61fbe

Please sign in to comment.