valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #2119 from austinsonger/privilege_escalation_pass_role_to_lambda_function.yml

Browse Source 
passed_role_to_glue_development_endpoint.yml and passed_role_to_lambda_function.yml
This commit is contained in:
frack113 2021-10-10 11:01:36 +02:00 committed by GitHub
commit d081d20a13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
rules/cloud/aws/aws_pass_role_to_lambda_function.yml Normal file
View File

@ -0,0 +1,28 @@
title: AWS Passed Role to Lambda Function
id: d914951b-52c8-485f-875e-86abab710c0b
description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account.
author: Austin Songer @austinsonger
status: experimental
date: 2021/10/03
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
logsource:
service: cloudtrail
detection:
selection1:
eventSource: iam.amazonaws.com
eventName: PassRole
selection2:
eventSource: lambda.amazonaws.com
eventName: CreateFunction
selection3:
eventSource: lambda.amazonaws.com
eventName: InvokeFunction
condition: selection1 and selection2 and selection3
level: low
tags:
- attack.privilege_escalation
- attack.t1078
falsepositives:
- Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.

25
rules/cloud/aws/passed_role_to_glue_development_endpoint.yml Normal file
View File

@ -0,0 +1,25 @@
title: AWS Passed Role to Glue Development Endpoint
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account.
author: Austin Songer @austinsonger
status: experimental
date: 2021/10/03
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
logsource:
service: cloudtrail
detection:
selection1:
eventSource: lambda.amazonaws.com
eventName: PassRole
selection2:
eventSource: glue.amazonaws.com
eventName: CreateDevEndpoint
condition: selection1 and selection2
level: low
tags:
- attack.privilege_escalation
falsepositives:
- Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.