Name:aws detect role creation id:5f04081e-ddee-4353-afe4-504f288de9ad version:3 date:2024-10-17 author:Rod Soto, Splunk status:experimental type:Hunting Description:The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action is performed, focusing on roles with specific trust policies. This activity is significant as unauthorized role creation can facilitate lateral movement and privilege escalation within the AWS environment. If confirmed malicious, attackers could gain elevated permissions, potentially compromising sensitive resources and data. Data_source:
how_to_implement:You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs known_false_positives:CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases. References: drilldown_searches:
: tags: analytic_story: - 'AWS Cross Account Activity' asset_type:AWS Account confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1078' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'event_name' - 'action' - 'userIdentity.type' - 'requestParameters.description' - 'sourceIPAddress' - 'userIdentity.principalId' - 'userIdentity.arn' - 'action' - 'event_name' - 'awsRegion' - 'http_user_agent' - 'mfa_auth' - 'msg' - 'requestParameters.roleName' - 'requestParameters.description' - 'responseElements.role.arn' - 'responseElements.role.createDate' risk_score:25 security_domain:threat
