sigma-rules/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml

[metadata]
creation_date = "2020/07/06"
maturity = "production"
updated_date = "2021/07/20"
integration = "aws"

[rule]
author = ["Elastic"]
description = """
Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of
a misconfigured role in order to gain the privileges of that role.
"""
false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy
    updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can
    be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Assume Role Policy Update"
note = """## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"]
risk_score = 21
rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"