Merge pull request #2119 from austinsonger/privilege_escalation_pass_role_to_lambda_function.yml

passed_role_to_glue_development_endpoint.yml and passed_role_to_lambda_function.yml
2024-11-06 09:25:17 +00:00 · 2021-10-10 11:01:36 +02:00 · 2021-10-10 11:01:36 +02:00 · d081d20a13
commit d081d20a13
parent 7497fdb484 1987897a76
2 changed files with 53 additions and 0 deletions
--- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
+++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
@ -0,0 +1,28 @@
+title: AWS Passed Role to Lambda Function
+id: d914951b-52c8-485f-875e-86abab710c0b
+description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/10/03
+references:
+    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+logsource:
+    service: cloudtrail
+detection:
+    selection1:
+        eventSource: iam.amazonaws.com
+        eventName: PassRole
+    selection2:
+        eventSource: lambda.amazonaws.com
+        eventName: CreateFunction
+    selection3:
+        eventSource: lambda.amazonaws.com
+        eventName: InvokeFunction
+    condition: selection1 and selection2 and selection3
+level: low
+tags:
+    - attack.privilege_escalation
+    - attack.t1078
+falsepositives:
+ - Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
+++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml
@ -0,0 +1,25 @@
+title: AWS Passed Role to Glue Development Endpoint
+id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
+description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/10/03
+references:
+    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+    - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
+logsource:
+    service: cloudtrail
+detection:
+    selection1:
+        eventSource: lambda.amazonaws.com
+        eventName: PassRole
+    selection2:
+        eventSource: glue.amazonaws.com
+        eventName: CreateDevEndpoint
+    condition: selection1 and selection2
+level: low
+tags:
+    - attack.privilege_escalation
+falsepositives:
+ - Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - If known behavior is causing false positives, it can be exempted from the rule.