Name:AWS SetDefaultPolicyVersion id:2a9b80d3-6340-4345-11ad-212bf3d0dac4 version:3 date:2024-09-30 author:Bhavin Patel, Splunk status:production type:TTP Description:The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches. Data_source:
-AWS CloudTrail SetDefaultPolicyVersion
search:`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives:While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources References: -https://bishopfox.com/blog/privilege-escalation-in-aws -https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: name:'View the detection results for - "$user_arn$"' search:'%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user_arn$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'AWS IAM Privilege Escalation' asset_type:AWS Account confidence:60 impact:50 message:From IP address $src$, user $user_arn$ has trigged an event $eventName$ for updating the the default policy version mitre_attack_id: - 'T1078.004' - 'T1078' observable: name:'src' type:'IP Address' - role: - 'Attacker' name:'user_arn' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventName' - 'userAgent' - 'errorCode' - 'requestParameters.userName' - 'eventSource' risk_score:30 security_domain:threat
