Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Privilege escalation with admin managed policy

AWSCloudTrail - Privilege escalation with admin managed policy

Back
Id49ce5322-60d7-4b02-ad79-99f650aa5790
RulenameAWSCloudTrail - Privilege escalation with admin managed policy
DescriptionDetects successful attachment of admin-related managed IAM policies to users, roles, or groups, excluding

the dedicated AdministratorAccess and FullAccess patterns handled by other detections. This behavior may indicate

unauthorized privilege escalation and should be validated against approved administrative changes.
SeverityMedium
TacticsPrivilegeEscalation
Persistence
TechniquesT1098.003
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationAdminManagedPolicy.yaml
Version1.0.2
Arm template49ce5322-60d7-4b02-ad79-99f650aa5790.json
Deploy To Azure
AWSCloudTrail
| where  EventName in ("AttachUserPolicy","AttachRolePolicy","AttachGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
| where tostring(parse_json(RequestParameters).policyArn) contains "Admin" and tostring(parse_json(RequestParameters).policyArn) !contains "FullAccess" and tostring(parse_json(RequestParameters).policyArn) !startswith "arn:aws:iam::aws:policy/AdministratorAccess"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, RequestParameters, ResponseElements, UserIdentityArn

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- PrivilegeEscalation
- Persistence
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
alertDetailsOverride:
  alertDisplayNameFormat: AWS admin managed policy attachment by {{AccountName}}
  alertDescriptionFormat: Detected {{EventName}} from {{SourceIpAddress}} attaching admin-related managed policy in account {{RecipientAccountId}}.
id: 49ce5322-60d7-4b02-ad79-99f650aa5790
severity: Medium
status: Available
customDetails:
  AWSRegion: AWSRegion
  UserIdentityArn: UserIdentityArn
  EventSource: EventSource
  EventName: EventName
query: |
  AWSCloudTrail
  | where  EventName in ("AttachUserPolicy","AttachRolePolicy","AttachGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
  | where tostring(parse_json(RequestParameters).policyArn) contains "Admin" and tostring(parse_json(RequestParameters).policyArn) !contains "FullAccess" and tostring(parse_json(RequestParameters).policyArn) !startswith "arn:aws:iam::aws:policy/AdministratorAccess"
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  | project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, RequestParameters, ResponseElements, UserIdentityArn  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationAdminManagedPolicy.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.2
name: AWSCloudTrail - Privilege escalation with admin managed policy
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1098.003
description: |
  Detects successful attachment of admin-related managed IAM policies to users, roles, or groups, excluding
  the dedicated AdministratorAccess and FullAccess patterns handled by other detections. This behavior may indicate
  unauthorized privilege escalation and should be validated against approved administrative changes.  
triggerOperator: gt