Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Creation of SSM policy and then privilege escalation

Back
Idaaa2c05e-fdd4-4fa0-9072-6cffe3641b34
RulenameCreation of SSM policy and then privilege escalation
DescriptionDetected creation of new SSM policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1484
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedSSMPolicytoPrivilegeEscalation.yaml
Version1.0.0
Arm templateaaa2c05e-fdd4-4fa0-9072-6cffe3641b34.json
Deploy To Azure
let EventNameList = dynamic(["AttachUserPolicy","AttachRolePolicy","AttachGroupPolicy"]);
 let createPolicy = "CreatePolicy";
 let timeframe = 1d;
 let lookback = 14d;
 // Creating Master table with all the events to use with materialize for better performance
 let EventInfo = AWSCloudTrail
 | where TimeGenerated >= ago(lookback)
 | where EventName in (EventNameList) or EventName == createPolicy;
 //Checking for Policy creation event with Full Admin Privileges since lookback period.
 let FullAdminPolicyEvents =  materialize(  EventInfo
 | where TimeGenerated >= ago(lookback)
 | where EventName == createPolicy
 | extend PolicyName = tostring(parse_json(RequestParameters).policyName)
 | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
 | mvexpand Statement
 | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
 | extend Action = tostring(Action)
 | where Effect =~ "Allow" and (Action contains "ssm:*" or Action contains "ssm:Create*" or Action contains "ssm:CreateAssociation") and Resource == "*" and Condition == ""
 | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName
 | extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))
 | project-rename StartTime = TimeGenerated  );
 let PolicyAttach = materialize(  EventInfo
 | where TimeGenerated >= ago(timeframe)
 | where EventName in (EventNameList) and isempty(ErrorCode) and isempty(ErrorMessage)
 | extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),"/")[1])
 | summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName,   UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName),   UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName
 | extend AttachEvent = pack("StartTime", StartTime, "EndTime", EndTime, "EventName", EventName, "UserIdentityType",   UserIdentityType, "UserIdentityArn", UserIdentityArn, "SourceIpAddress", SourceIpAddress, "UserIdentityUserName", UserIdentityUserName)
 | project EventSource, PolicyName, AttachEvent, AttachEventCount
 );
 // Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.
 // These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.
 FullAdminPolicyEvents
 | join kind=leftouter
 (
     PolicyAttach
 )
 on PolicyName
 | project-away PolicyName1
 | extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
queryFrequency: 1d
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
    'Detected creation of new SSM policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use.'
status: Available
relevantTechniques:
- T1484
name: Creation of SSM policy and then privilege escalation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedSSMPolicytoPrivilegeEscalation.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
query: |
  let EventNameList = dynamic(["AttachUserPolicy","AttachRolePolicy","AttachGroupPolicy"]);
   let createPolicy = "CreatePolicy";
   let timeframe = 1d;
   let lookback = 14d;
   // Creating Master table with all the events to use with materialize for better performance
   let EventInfo = AWSCloudTrail
   | where TimeGenerated >= ago(lookback)
   | where EventName in (EventNameList) or EventName == createPolicy;
   //Checking for Policy creation event with Full Admin Privileges since lookback period.
   let FullAdminPolicyEvents =  materialize(  EventInfo
   | where TimeGenerated >= ago(lookback)
   | where EventName == createPolicy
   | extend PolicyName = tostring(parse_json(RequestParameters).policyName)
   | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
   | mvexpand Statement
   | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
   | extend Action = tostring(Action)
   | where Effect =~ "Allow" and (Action contains "ssm:*" or Action contains "ssm:Create*" or Action contains "ssm:CreateAssociation") and Resource == "*" and Condition == ""
   | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName
   | extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))
   | project-rename StartTime = TimeGenerated  );
   let PolicyAttach = materialize(  EventInfo
   | where TimeGenerated >= ago(timeframe)
   | where EventName in (EventNameList) and isempty(ErrorCode) and isempty(ErrorMessage)
   | extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),"/")[1])
   | summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName,   UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName),   UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName
   | extend AttachEvent = pack("StartTime", StartTime, "EndTime", EndTime, "EventName", EventName, "UserIdentityType",   UserIdentityType, "UserIdentityArn", UserIdentityArn, "SourceIpAddress", SourceIpAddress, "UserIdentityUserName", UserIdentityUserName)
   | project EventSource, PolicyName, AttachEvent, AttachEventCount
   );
   // Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.
   // These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.
   FullAdminPolicyEvents
   | join kind=leftouter
   (
       PolicyAttach
   )
   on PolicyName
   | project-away PolicyName1
   | extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName  
id: aaa2c05e-fdd4-4fa0-9072-6cffe3641b34
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
kind: Scheduled
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aaa2c05e-fdd4-4fa0-9072-6cffe3641b34')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aaa2c05e-fdd4-4fa0-9072-6cffe3641b34')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Creation of SSM policy and then privilege escalation",
        "description": "'Detected creation of new SSM policy and afterwards used one of the attach policy operations (AttachUserPolicy/AttachRolePolicy/AttachGroupPolicy). This might indicate a privilege escalation technique that attackers could use.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let EventNameList = dynamic([\"AttachUserPolicy\",\"AttachRolePolicy\",\"AttachGroupPolicy\"]);\n let createPolicy = \"CreatePolicy\";\n let timeframe = 1d;\n let lookback = 14d;\n // Creating Master table with all the events to use with materialize for better performance\n let EventInfo = AWSCloudTrail\n | where TimeGenerated >= ago(lookback)\n | where EventName in (EventNameList) or EventName == createPolicy;\n //Checking for Policy creation event with Full Admin Privileges since lookback period.\n let FullAdminPolicyEvents =  materialize(  EventInfo\n | where TimeGenerated >= ago(lookback)\n | where EventName == createPolicy\n | extend PolicyName = tostring(parse_json(RequestParameters).policyName)\n | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\n | mvexpand Statement\n | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)\n | extend Action = tostring(Action)\n | where Effect =~ \"Allow\" and (Action contains \"ssm:*\" or Action contains \"ssm:Create*\" or Action contains \"ssm:CreateAssociation\") and Resource == \"*\" and Condition == \"\"\n | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\n | extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n | project-rename StartTime = TimeGenerated  );\n let PolicyAttach = materialize(  EventInfo\n | where TimeGenerated >= ago(timeframe)\n | where EventName in (EventNameList) and isempty(ErrorCode) and isempty(ErrorMessage)\n | extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\"/\")[1])\n | summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName,   UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName),   UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\n | extend AttachEvent = pack(\"StartTime\", StartTime, \"EndTime\", EndTime, \"EventName\", EventName, \"UserIdentityType\",   UserIdentityType, \"UserIdentityArn\", UserIdentityArn, \"SourceIpAddress\", SourceIpAddress, \"UserIdentityUserName\", UserIdentityUserName)\n | project EventSource, PolicyName, AttachEvent, AttachEventCount\n );\n // Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\n // These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\n FullAdminPolicyEvents\n | join kind=leftouter\n (\n     PolicyAttach\n )\n on PolicyName\n | project-away PolicyName1\n | extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1484"
        ],
        "alertRuleTemplateName": "aaa2c05e-fdd4-4fa0-9072-6cffe3641b34",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_CreatedSSMPolicytoPrivilegeEscalation.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}