Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Privilege escalation via SSM policy

Back
Idc668c09f-5a49-43f9-b249-6b89a31ec8fb
RulenamePrivilege escalation via SSM policy
DescriptionDetected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on SSM Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1484
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaSSM.yaml
Version1.0.0
Arm templatec668c09f-5a49-43f9-b249-6b89a31ec8fb.json
Deploy To Azure
AWSCloudTrail
  | where EventName in ("PutUserPolicy","PutRolePolicy","PutGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
  | extend PolicyName = tostring(parse_json(RequestParameters).policyName)
  | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
  | mvexpand Statement
  | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
  | extend Action = tostring(Action)
  | where Effect =~ "Allow" and (Action contains "ssm:*" or Action contains "ssm:Create*" or Action contains "ssm:CreateAssociation") and Resource == "*" and isempty(Condition)
  | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName
  | extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))
  | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
triggerOperator: gt
queryFrequency: 1d
name: Privilege escalation via SSM policy
status: Available
queryPeriod: 1d
id: c668c09f-5a49-43f9-b249-6b89a31ec8fb
description: |
    'Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on SSM Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.'
severity: Medium
query: |
  AWSCloudTrail
    | where EventName in ("PutUserPolicy","PutRolePolicy","PutGroupPolicy") and isempty(ErrorCode) and isempty(ErrorMessage)
    | extend PolicyName = tostring(parse_json(RequestParameters).policyName)
    | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement
    | mvexpand Statement
    | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)
    | extend Action = tostring(Action)
    | where Effect =~ "Allow" and (Action contains "ssm:*" or Action contains "ssm:Create*" or Action contains "ssm:CreateAssociation") and Resource == "*" and isempty(Condition)
    | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName
    | extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))
    | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName  
version: 1.0.0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaSSM.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
relevantTechniques:
- T1484
tactics:
- PrivilegeEscalation
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c668c09f-5a49-43f9-b249-6b89a31ec8fb')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c668c09f-5a49-43f9-b249-6b89a31ec8fb')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Privilege escalation via SSM policy",
        "description": "'Detected usage of AttachUserPolicy/AttachGroupPolicy/AttachRolePolicy on SSM Policy. Attackers could use these operations for privilege escalation. Verify these actions with the user.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AWSCloudTrail\n  | where EventName in (\"PutUserPolicy\",\"PutRolePolicy\",\"PutGroupPolicy\") and isempty(ErrorCode) and isempty(ErrorMessage)\n  | extend PolicyName = tostring(parse_json(RequestParameters).policyName)\n  | extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\n  | mvexpand Statement\n  | extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource), Condition = tostring(parse_json(Statement).Condition)\n  | extend Action = tostring(Action)\n  | where Effect =~ \"Allow\" and (Action contains \"ssm:*\" or Action contains \"ssm:Create*\" or Action contains \"ssm:CreateAssociation\") and Resource == \"*\" and isempty(Condition)\n  | distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\n  | extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n  | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1484"
        ],
        "alertRuleTemplateName": "c668c09f-5a49-43f9-b249-6b89a31ec8fb",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_PrivilegeEscalationViaSSM.yaml",
        "status": "Available"
      }
    }
  ]
}