Name:AWS SetDefaultPolicyVersion id:2a9b80d3-6340-4345-11ad-212bf3d0dac4 version:7 date:2025-05-02 author:Bhavin Patel, Splunk status:production type:TTP Description:The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches. Data_source:
-AWS CloudTrail SetDefaultPolicyVersion
search:`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | rename user_name as user | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives:While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources References: -https://bishopfox.com/blog/privilege-escalation-in-aws -https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'AWS IAM Privilege Escalation' asset_type:AWS Account mitre_attack_id: - 'T1078.004' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat
