mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 01:15:17 +00:00
Merge pull request #2119 from austinsonger/privilege_escalation_pass_role_to_lambda_function.yml
passed_role_to_glue_development_endpoint.yml and passed_role_to_lambda_function.yml
This commit is contained in:
commit
d081d20a13
28
rules/cloud/aws/aws_pass_role_to_lambda_function.yml
Normal file
28
rules/cloud/aws/aws_pass_role_to_lambda_function.yml
Normal file
@ -0,0 +1,28 @@
|
||||
title: AWS Passed Role to Lambda Function
|
||||
id: d914951b-52c8-485f-875e-86abab710c0b
|
||||
description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account.
|
||||
author: Austin Songer @austinsonger
|
||||
status: experimental
|
||||
date: 2021/10/03
|
||||
references:
|
||||
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
|
||||
logsource:
|
||||
service: cloudtrail
|
||||
detection:
|
||||
selection1:
|
||||
eventSource: iam.amazonaws.com
|
||||
eventName: PassRole
|
||||
selection2:
|
||||
eventSource: lambda.amazonaws.com
|
||||
eventName: CreateFunction
|
||||
selection3:
|
||||
eventSource: lambda.amazonaws.com
|
||||
eventName: InvokeFunction
|
||||
condition: selection1 and selection2 and selection3
|
||||
level: low
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.t1078
|
||||
falsepositives:
|
||||
- Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
|
||||
- If known behavior is causing false positives, it can be exempted from the rule.
|
25
rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
Normal file
25
rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
Normal file
@ -0,0 +1,25 @@
|
||||
title: AWS Passed Role to Glue Development Endpoint
|
||||
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
|
||||
description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account.
|
||||
author: Austin Songer @austinsonger
|
||||
status: experimental
|
||||
date: 2021/10/03
|
||||
references:
|
||||
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
|
||||
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
|
||||
logsource:
|
||||
service: cloudtrail
|
||||
detection:
|
||||
selection1:
|
||||
eventSource: lambda.amazonaws.com
|
||||
eventName: PassRole
|
||||
selection2:
|
||||
eventSource: glue.amazonaws.com
|
||||
eventName: CreateDevEndpoint
|
||||
condition: selection1 and selection2
|
||||
level: low
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
falsepositives:
|
||||
- Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
|
||||
- If known behavior is causing false positives, it can be exempted from the rule.
|
Loading…
Reference in New Issue
Block a user