47 строки
2.7 KiB
YAML
47 строки
2.7 KiB
YAML
id: 0db42a94-e7c8-4bf1-99a7-1a2fb4158212
|
|
name: Privileged role attached to Instance
|
|
description: |
|
|
'Identity and Access Management (IAM) securely manages access to AWS services and resources.
|
|
Identifies when a Privileged role is attached to an existing instance or new instance at deployment. This instance may be used by an adversary to escalate a normal user privileges to an adminsitrative level.
|
|
and AWS API AddRoleToInstanceProfile at https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html'
|
|
requiredDataConnectors:
|
|
- connectorId: AWS
|
|
dataTypes:
|
|
- AWSCloudTrail
|
|
tactics:
|
|
- PrivilegeEscalation
|
|
relevantTechniques:
|
|
- T1098
|
|
query: |
|
|
|
|
let EventNameList = dynamic(["AttachUserPolicy","AttachRolePolicy","AttachGroupPolicy"]);
|
|
let PolicyArnList = dynamic(["arn:aws:iam::aws:policy/AdministratorAccess","arn:aws:iam::aws:policy/DatabaseAdministrator","arn:aws:iam::aws:policy/NetworkAdministrator","arn:aws:iam::aws:policy/SystemAdministrator","arn:aws:iam::aws:policy/AmazonS3FullAccess"]);
|
|
let starttime = todatetime('{{StartTimeISO}}');
|
|
let endtime = todatetime('{{EndTimeISO}}');
|
|
let lookback = starttime - 14d;
|
|
//Creating a temp table of events creating privileged role or users which can later be correlated with suspicious operations.
|
|
let PrivilegedRoleorUsers = AWSCloudTrail
|
|
| where TimeGenerated >= lookback
|
|
| where EventName in (EventNameList)
|
|
| extend PolicyArn = tostring(parse_json(RequestParameters).policyArn), RoleName = tostring(parse_json(RequestParameters).roleName)
|
|
| where PolicyArn in (PolicyArnList)
|
|
| distinct PolicyArn, UserIdentityType, UserIdentityUserName,RoleName;
|
|
// Joining the list of identities having Privileged roles with the API call AddRoleToInstanceProfile to indentify the instances which may be used by adversaries as pivot point for privilege escalation.
|
|
PrivilegedRoleorUsers
|
|
| join (
|
|
AWSCloudTrail
|
|
| where TimeGenerated between (starttime..endtime)
|
|
| where EventName in ("AddRoleToInstanceProfile")
|
|
| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName), RoleName = tostring(parse_json(RequestParameters).roleName)
|
|
| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn , UserIdentityUserName, SourceIpAddress, RoleName
|
|
) on RoleName
|
|
| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIpAddress, AccountCustomEntity = RoleName
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity |