AWS IAM Assume Role Policy Brute Force

Name:AWS IAM Assume Role Policy Brute Force
id:f19e09b0-9308-11eb-b7ec-acde48001122
version:3
date:2024-09-30
author:Michael Haag, Splunk
status:production
type:TTP
Description:The following analytic detects multiple failed attempts to assume an AWS IAM role, indicating a potential brute force attack. It leverages AWS CloudTrail logs to identify `MalformedPolicyDocumentException` errors with a status of `failure` and filters out legitimate AWS services. This activity is significant as repeated failures to assume roles can indicate an adversary attempting to guess role names, which is a precursor to unauthorized access. If confirmed malicious, this could lead to unauthorized access to AWS resources, potentially compromising sensitive data and services.
Data_source:

• -AWS CloudTrail

search:`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com)
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn
| where count >= 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_assume_role_policy_brute_force_filter`

how_to_implement:The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.
known_false_positives:This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.
References:
  -https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/
  -https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/
  -https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html
drilldown_searches:
 name:'View the detection results for - "$user_arn$"'
 search:'%original_detection_search% | search user_arn = "$user_arn$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user_arn$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'AWS IAM Privilege Escalation'
  asset_type:AWS Account
  confidence:70
  impact:40
  message:User $user_arn$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.
  mitre_attack_id:
    - 'T1580'
    - 'T1110'
  observable:
    name:'src'
    type:'IP Address'
    - role:
      - 'Attacker'
    name:'user_arn'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'eventName'
    - 'userAgent'
    - 'errorCode'
    - 'requestParameters.policyName'
  risk_score:28
  security_domain:access

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json
  sourcetype: aws:cloudtrail
  source: aws_cloudtrail
  update_timestamp: True
manual_test:None