From 92b1ce4cf428d756b16c3159b21f645fd196a5df Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 3 Oct 2021 22:54:01 -0500
Subject: [PATCH 1/7] Create pass_role_to_lambda_function.yml

---
 .../aws/pass_role_to_lambda_function.yml      | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/cloud/aws/pass_role_to_lambda_function.yml

diff --git a/rules/cloud/aws/pass_role_to_lambda_function.yml b/rules/cloud/aws/pass_role_to_lambda_function.yml
new file mode 100644
index 00000000..013ca204
--- /dev/null
+++ b/rules/cloud/aws/pass_role_to_lambda_function.yml
@@ -0,0 +1,28 @@
+title: AWS Passed Role to Lambda Function
+id:  d914951b-52c8-485f-875e-86abab710c0b
+description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/10/03
+references:
+    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+logsource:
+    service: cloudtrail
+detection:
+    selection1:
+        eventSource: iam.amazonaws.com
+        eventName: PassRole
+    selection2:
+        eventSource: lambda.amazonaws.com
+        eventName: CreateFunction
+    selection3:
+        eventSource: lambda.amazonaws.com
+        eventName: InvokeFunction
+    condition: all
+level: low
+tags:
+    - attack.privilege_escalation
+    - attack.t1078
+falsepositives:
+ - Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - If known behavior is causing false positives, it can be exempted from the rule.

From 60eccf711de6b2556deb1569a16f8b1128c02641 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 3 Oct 2021 22:54:19 -0500
Subject: [PATCH 2/7] Rename pass_role_to_lambda_function.yml to
 aws_pass_role_to_lambda_function.yml

---
 ...o_lambda_function.yml => aws_pass_role_to_lambda_function.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename rules/cloud/aws/{pass_role_to_lambda_function.yml => aws_pass_role_to_lambda_function.yml} (100%)

diff --git a/rules/cloud/aws/pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
similarity index 100%
rename from rules/cloud/aws/pass_role_to_lambda_function.yml
rename to rules/cloud/aws/aws_pass_role_to_lambda_function.yml

From d694d6faa83e6530c0c22546794c5e35c991537b Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sun, 3 Oct 2021 23:03:39 -0500
Subject: [PATCH 3/7] Create passed_role_to_glue_development_endpoint.yml

---
 ...ssed_role_to_glue_development_endpoint.yml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/cloud/aws/passed_role_to_glue_development_endpoint.yml

diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
new file mode 100644
index 00000000..ff46be0a
--- /dev/null
+++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
@@ -0,0 +1,25 @@
+title: AWS Passed Role to Glue Development Endpoint
+id:  4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
+description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/10/03
+references:
+    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+    - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
+logsource:
+    service: cloudtrail
+detection:
+    selection1:
+        eventSource: lambda.amazonaws.com
+        eventName: PassRole
+      selection2:
+        eventSource: glue.amazonaws.com
+        eventName: CreateDevEndpoint
+    condition: all
+level: low
+tags:
+    - attack.privilege_escalation
+falsepositives:
+ - Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - If known behavior is causing false positives, it can be exempted from the rule.

From 3b014259369fa07eaf301e770baa2131174c0822 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Tue, 5 Oct 2021 07:40:42 +0200
Subject: [PATCH 4/7] Update aws_pass_role_to_lambda_function.yml

---
 rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
index 013ca204..333b6596 100644
--- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
+++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
@@ -1,5 +1,5 @@
 title: AWS Passed Role to Lambda Function
-id:  d914951b-52c8-485f-875e-86abab710c0b
+id: d914951b-52c8-485f-875e-86abab710c0b
 description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account.
 author: Austin Songer @austinsonger
 status: experimental

From ad9362e043131ca57ec780171d05ea02e90f8f13 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Tue, 5 Oct 2021 07:41:41 +0200
Subject: [PATCH 5/7] Update passed_role_to_glue_development_endpoint.yml

---
 rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
index ff46be0a..b57a5500 100644
--- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
+++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
@@ -1,5 +1,5 @@
 title: AWS Passed Role to Glue Development Endpoint
-id:  4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
+id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
 description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account.
 author: Austin Songer @austinsonger
 status: experimental
@@ -13,7 +13,7 @@ detection:
     selection1:
         eventSource: lambda.amazonaws.com
         eventName: PassRole
-      selection2:
+    selection2:
         eventSource: glue.amazonaws.com
         eventName: CreateDevEndpoint
     condition: all

From de52890a628b3cfb148c461716df341278ab4879 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sat, 9 Oct 2021 15:24:49 -0500
Subject: [PATCH 6/7] Update passed_role_to_glue_development_endpoint.yml

---
 rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
index b57a5500..dfc15fc6 100644
--- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
+++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
@@ -16,7 +16,7 @@ detection:
     selection2:
         eventSource: glue.amazonaws.com
         eventName: CreateDevEndpoint
-    condition: all
+    condition: selection1 and selection2
 level: low
 tags:
     - attack.privilege_escalation

From 1987897a7653c5f1b9dbe0c103b9255f5cd7cde5 Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Sat, 9 Oct 2021 15:26:38 -0500
Subject: [PATCH 7/7] Update aws_pass_role_to_lambda_function.yml

---
 rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
index 333b6596..3c38c959 100644
--- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
+++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
@@ -18,7 +18,7 @@ detection:
     selection3:
         eventSource: lambda.amazonaws.com
         eventName: InvokeFunction
-    condition: all
+    condition: selection1 and selection2 and selection3
 level: low
 tags:
     - attack.privilege_escalation