Austin Songer
29 lines
1.3 KiB
YAML
29 lines
1.3 KiB
YAML
title: AWS Passed Role to Lambda Function
|
|
id: d914951b-52c8-485f-875e-86abab710c0b
|
|
description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account.
|
|
author: Austin Songer @austinsonger
|
|
status: experimental
|
|
date: 2021/10/03
|
|
references:
|
|
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
|
|
logsource:
|
|
service: cloudtrail
|
|
detection:
|
|
selection1:
|
|
eventSource: iam.amazonaws.com
|
|
eventName: PassRole
|
|
selection2:
|
|
eventSource: lambda.amazonaws.com
|
|
eventName: CreateFunction
|
|
selection3:
|
|
eventSource: lambda.amazonaws.com
|
|
eventName: InvokeFunction
|
|
condition: selection1 and selection2 and selection3
|
|
level: low
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1078
|
|
falsepositives:
|
|
- Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
|
|
- If known behavior is causing false positives, it can be exempted from the rule.
|