AWSCloudTrail - Privilege escalation via DataPipeline policy
| Id | 48896551-1c28-4a09-8388-e51e5a927d23 |
| Rulename | AWSCloudTrail - Privilege escalation via DataPipeline policy |
| Description | Detects inline IAM policy updates that combine Data Pipeline permissions with IAM privileges such as iam:PassRole. This sequence can enable indirect execution and elevated access pathways, indicating potential privilege escalation activity. |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1098.003 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaDataPipeline.yaml |
| Version | 1.0.2 |
| Arm template | 48896551-1c28-4a09-8388-e51e5a927d23.json |
AWSCloudTrail
| where EventName in ("PutUserPolicy","PutRolePolicy","PutGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
| extend PolicyName = tostring(parse_json(RequestParameters).policyName)
| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
| mvexpand Statement
| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
| extend Action = tostring(Action)
| where Effect =~ "Allow" and (((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:*") or ((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:CreatePipeline" and Action has "datapipeline:PutPipelineDefinition" and Action has "datapipeline:ActivatePipeline") or ((Action contains "iam:*" or Action contains "iam:PassRole") and Action contains "datapipeline:Create*" and Action contains "datapipeline:Put*" and Action contains "datapipeline:Activate*")) and Resource == "*" and isempty(Condition)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityArn, UserIdentityUserName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: CloudAppAccountId
columnName: RecipientAccountId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
tactics:
- PrivilegeEscalation
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
alertDetailsOverride:
alertDisplayNameFormat: AWS Data Pipeline privilege escalation policy update by {{AccountName}}
alertDescriptionFormat: Detected {{EventName}} Event, updating inline Data Pipeline escalation policy {{PolicyName}} in account {{RecipientAccountId}}.
id: 48896551-1c28-4a09-8388-e51e5a927d23
severity: Medium
status: Available
customDetails:
RecipientAccountId: RecipientAccountId
UserIdentityArn: UserIdentityArn
EventName: EventName
PolicyName: PolicyName
query: |
AWSCloudTrail
| where EventName in ("PutUserPolicy","PutRolePolicy","PutGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
| extend PolicyName = tostring(parse_json(RequestParameters).policyName)
| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
| mvexpand Statement
| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
| extend Action = tostring(Action)
| where Effect =~ "Allow" and (((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:*") or ((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:CreatePipeline" and Action has "datapipeline:PutPipelineDefinition" and Action has "datapipeline:ActivatePipeline") or ((Action contains "iam:*" or Action contains "iam:PassRole") and Action contains "datapipeline:Create*" and Action contains "datapipeline:Put*" and Action contains "datapipeline:Activate*")) and Resource == "*" and isempty(Condition)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityArn, UserIdentityUserName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaDataPipeline.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.2
name: AWSCloudTrail - Privilege escalation via DataPipeline policy
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1098.003
description: |
Detects inline IAM policy updates that combine Data Pipeline permissions with IAM privileges such as
iam:PassRole. This sequence can enable indirect execution and elevated access pathways, indicating potential
privilege escalation activity.
triggerOperator: gt