-
Author: Elastic
-
Description: This hunting query gathers data for evidence of an adversary creating an IAM role with an inline attached policy that allows the role to assume another role. This only identifies flags for AWS account IDs that are different from the account ID where the role is being created indicating a potential backdoor IAM role.
-
UUID:
429824b6-60b2-11ef-b0a4-f661ea17fbce -
Integration: aws.cloudtrail
-
Language:
[ES|QL] -
Source File: IAM Assume Role Creation with Attached Policy
from logs-aws.cloudtrail-*
| where @timestamp > now() - 7 day
| where
event.provider == "iam.amazonaws.com"
and event.action == "CreateRole"
and aws.cloudtrail.request_parameters RLIKE ".*Allow.*"
and aws.cloudtrail.request_parameters RLIKE ".*sts:AssumeRole.*"
and aws.cloudtrail.request_parameters RLIKE ".*assumeRolePolicyDocument.*"
and aws.cloudtrail.request_parameters RLIKE ".*arn:aws:iam.*"
| dissect aws.cloudtrail.request_parameters "%{}AWS\": \"arn:aws:iam::%{target_account_id}:"
| where cloud.account.id != target_account_id
| keep @timestamp, event.provider, event.action, aws.cloudtrail.request_parameters, target_account_id, cloud.account.id- Review the
target_account_idfield to identify the account that the role is being created in. This could be another AWS account your organization owns. - Review
aws.cloudtrail.request_parametersto identify the role being created and the policy being attached. If the inline policy includes overly permissive permissions such asAdministratorAccess, this could be a sign of malicious activity. - Pivot for
event.actionwhere the value isAttachRolePolicyto identify the policy being attached to the role.
Elastic License v2