Privilege escalation via DataPipeline policy

Back


Id	48896551-1c28-4a09-8388-e51e5a927d23
Rulename	Privilege escalation via DataPipeline policy
Description	Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Datapipeline policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
Severity	Medium
Tactics	PrivilegeEscalation
Techniques	T1484
Required data connectors	AWS
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaDataPipeline.yaml
Version	1.0.1
Arm template	48896551-1c28-4a09-8388-e51e5a927d23.json

KQL

AWSCloudTrail
  | where EventName in ("PutUserPolicy","PutRolePolicy","PutGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
  | extend PolicyName = tostring(parse_json(RequestParameters).policyName)
  | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
  | mvexpand Statement
  | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
  | extend Action = tostring(Action)
  | where Effect =~ "Allow" and (((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:*") or ((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:CreatePipeline" and Action has "datapipeline:PutPipelineDefinition" and Action has "datapipeline:ActivatePipeline") or ((Action contains "iam:*" or Action contains "iam:PassRole") and Action contains "datapipeline:Create*" and Action contains "datapipeline:Put*" and Action contains "datapipeline:Activate*")) and Resource == "*" and isempty(Condition)
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityArn, UserIdentityUserName
  | extend timestamp = TimeGenerated

YAML

status: Available
queryFrequency: 1d
id: 48896551-1c28-4a09-8388-e51e5a927d23
tactics:
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  - columnName: RecipientAccountId
    identifier: CloudAppAccountId
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaDataPipeline.yaml
version: 1.0.1
query: |
  AWSCloudTrail
    | where EventName in ("PutUserPolicy","PutRolePolicy","PutGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
    | extend PolicyName = tostring(parse_json(RequestParameters).policyName)
    | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
    | mvexpand Statement
    | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
    | extend Action = tostring(Action)
    | where Effect =~ "Allow" and (((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:*") or ((Action has "iam:*" or Action has "iam:PassRole") and Action has "datapipeline:CreatePipeline" and Action has "datapipeline:PutPipelineDefinition" and Action has "datapipeline:ActivatePipeline") or ((Action contains "iam:*" or Action contains "iam:PassRole") and Action contains "datapipeline:Create*" and Action contains "datapipeline:Put*" and Action contains "datapipeline:Activate*")) and Resource == "*" and isempty(Condition)
    | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
    | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
    | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
    | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
      AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
    | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityArn, UserIdentityUserName
    | extend timestamp = TimeGenerated  
description: |
    'Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on Datapipeline policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.'
relevantTechniques:
- T1484
triggerThreshold: 0
queryPeriod: 1d
triggerOperator: gt
name: Privilege escalation via DataPipeline policy
severity: Medium
kind: Scheduled

ARM