diff --git a/hunting/aws/docs/iam_assume_role_creation_with_attached_policy.md b/hunting/aws/docs/iam_assume_role_creation_with_attached_policy.md index a6222151f24..a26ddb52adf 100644 --- a/hunting/aws/docs/iam_assume_role_creation_with_attached_policy.md +++ b/hunting/aws/docs/iam_assume_role_creation_with_attached_policy.md @@ -26,6 +26,7 @@ from logs-aws.cloudtrail-* and aws.cloudtrail.request_parameters RLIKE ".*arn:aws:iam.*" | dissect aws.cloudtrail.request_parameters "%{}AWS\": \"arn:aws:iam::%{target_account_id}:" | where cloud.account.id != target_account_id +| keep @timestamp, event.provider, event.action, aws.cloudtrail.request_parameters, target_account_id, cloud.account.id ``` ## Notes diff --git a/hunting/aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md b/hunting/aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md index da7536e46bd..0b08ad31a14 100644 --- a/hunting/aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md +++ b/hunting/aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md @@ -1,4 +1,4 @@ -# AWS IAM Customer-Managed Policy Attachment for Privilege Escalation +# AWS IAM Customer-Managed Policy Attachment to Existing Roles --- @@ -10,7 +10,7 @@ - **UUID:** `418baaf2-9ae1-11ef-be63-f661ea17fbcd` - **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail) - **Language:** `[ES|QL]` -- **Source File:** [AWS IAM Customer-Managed Policy Attachment for Privilege Escalation](../queries/iam_customer_managed_policies_attached_to_existing_roles.toml) +- **Source File:** [AWS IAM Customer-Managed Policy Attachment to Existing Roles](../queries/iam_customer_managed_policies_attached_to_existing_roles.toml) ## Query @@ -29,11 +29,11 @@ from logs-aws.cloudtrail* ## Notes -- Review the `target_account_id` field to verify the AWS account in which the role is being modified, especially if this account is outside of your organization’s typical accounts. -- Examine `aws.cloudtrail.request_parameters` for details on the role and attached policy. Customer-managed policies granting overly permissive access, such as `AdministratorAccess`, may signal unauthorized privilege escalation. -- Cross-reference `event.action` values where `AttachRolePolicy` appears to further investigate attached policies that could enable lateral movement or persistence. -- Evaluate `aws.cloudtrail.user_identity.arn` to confirm if the actor attaching the policy has legitimate permissions for this action. Anomalous or unauthorized actors may indicate privilege abuse. -- Look for patterns of multiple `AttachRolePolicy` actions across roles by the same user or entity. High frequency of these actions could suggest an attempt to establish persistent control across roles within your AWS environment. +- Review the `attached_policy_name` and `target_role_name` fields to identify the customer-managed policy and role involved in the attachment. +- Review the permissions of the attached policy to determine the potential impact of the privilege escalation attempt. +- Review all entities that `target_role_name` may be attached to as these entities may have been compromised or misused. +- Consider reviewing the `aws.cloudtrail.user_identity.arn` field to identify the actor responsible for the privilege escalation attempt. +- Review the user agent of the actor to determine the source of the privilege escalation attempt, such as an AWS CLI or SDK. ## MITRE ATT&CK Techniques diff --git a/hunting/aws/docs/lambda_add_permissions_for_write_actions_to_function.md b/hunting/aws/docs/lambda_add_permissions_for_write_actions_to_function.md index 470d7489f91..5f20d0ca2a3 100644 --- a/hunting/aws/docs/lambda_add_permissions_for_write_actions_to_function.md +++ b/hunting/aws/docs/lambda_add_permissions_for_write_actions_to_function.md @@ -24,6 +24,7 @@ from logs-aws.cloudtrail-* | dissect aws.cloudtrail.request_parameters "{%{?principal_key}=%{principal_id}, %{?function_name_key}=%{function_name}, %{?statement_key}=%{statement_value}, %{?action_key}=lambda:%{action_value}}" | eval write_action = (starts_with(action_value, "Invoke") or starts_with("Update", action_value) or starts_with("Put", action_value)) | where write_action == true +| keep @timestamp, principal_id, event.provider, event.action, aws.cloudtrail.request_parameters, principal_id, function_name, action_value, statement_value, write_action ``` ## Notes diff --git a/hunting/aws/docs/signin_single_factor_console_login_via_federated_session.md b/hunting/aws/docs/signin_single_factor_console_login_via_federated_session.md index ecd2a3302d5..ddc1864d98a 100644 --- a/hunting/aws/docs/signin_single_factor_console_login_via_federated_session.md +++ b/hunting/aws/docs/signin_single_factor_console_login_via_federated_session.md @@ -24,6 +24,7 @@ from logs-aws.cloudtrail-* and aws.cloudtrail.user_identity.type == "FederatedUser" | dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}" | where mfa_used == "No" +| keep @timestamp, event.provider, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type, aws.cloudtrail.additional_eventdata, mobile_version, mfa_used ``` ## Notes diff --git a/hunting/aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md b/hunting/aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md index fdd7a7be660..3f70647239c 100644 --- a/hunting/aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md +++ b/hunting/aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md @@ -22,6 +22,7 @@ from logs-aws.cloudtrail-* and aws.cloudtrail.user_identity.type == "AssumedRole" and event.action == "SendCommand" and user.id like "*:i-*" +| keep @timestamp, event.provider, event.action, aws.cloudtrail.user_identity.type, user.id, aws.cloudtrail.request_parameters ``` ## Notes diff --git a/hunting/aws/docs/sts_suspicious_federated_temporary_credential_request.md b/hunting/aws/docs/sts_suspicious_federated_temporary_credential_request.md index 3b20d7e45bb..469ebb88cd4 100644 --- a/hunting/aws/docs/sts_suspicious_federated_temporary_credential_request.md +++ b/hunting/aws/docs/sts_suspicious_federated_temporary_credential_request.md @@ -26,6 +26,7 @@ from logs-aws.cloudtrail-* | dissect aws.cloudtrail.request_parameters "{%{}policyArns=[%{policies_applied}]" | eval duration_minutes = to_integer(duration_requested) / 60 | where (duration_minutes > 1440) or (policies_applied RLIKE ".*AdministratorAccess.*") +| keep @timestamp, event.dataset, event.provider, event.action, aws.cloudtrail.request_parameters, user_name, duration_requested, duration_minutes, policies_applied ``` ## Notes diff --git a/hunting/okta/docs/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md b/hunting/okta/docs/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md index cf66d18a3c8..5bc8c3ddeae 100644 --- a/hunting/okta/docs/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md +++ b/hunting/okta/docs/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md @@ -33,6 +33,8 @@ from logs-okta.system* // filter for scopes that are not implicitly granted and okta.outcome.reason == "no_matching_scope" + +| keep @timestamp, event.action, okta.actor.type, okta.outcome.result, okta.outcome.reason, okta.actor.display_name ``` ## Notes