SECURITY

AWS IAM Privilege Escalation - Threat Research Release March 2021

The Splunk Threat Research Team recently developed an analytic story to help security operations center (SOC) analysts detect adversaries attempting to escalate their privileges and gain elevated access to Amazon Web Services (AWS) resources. In this blog, we’ll walk you through an AWS privilege escalation analytic story, demonstrate how we simulated these attacks using Atomic Red Team, collect and analyze the AWS cloudtrail logs, and highlight a few detections from the March 2021 releases.

Watch the video below to learn more about how we can simulate AWS Privilege Escalation TTPs using Atomic Red Team and detection engineering.

 

 

Amazon Web Services Identity and Access Management (IAM) Privilege Escalation

The AWS identity and access management (IAM) privilege escalation analytic story addresses various tactics, techniques and procedures (TTPs) used by attackers to escalate their privileges to gain additional access to an existing compromised AWS Environment.  

AWS provides a neat feature called identity and access management (IAM) that helps organizations manage various AWS services and resources in a secure way. All IAM users have roles, groups and policies associated with them that govern and set permissions to allow specific users to bypass  specific restrictions. 

However, if these IAM policies are misconfigured (which is often the case) and also have specific combinations of weak permission, attackers can escalate their privileges to move laterally or further compromise the organization.

Rhino Security Labs and Bishop Fox Labs have published comprehensive blogs detailing the various techniques attackers use to exploit IAM policies to gain elevated access. Inspired by their research, Splunk’s threat research team wants to show you how we simulated these attacks using Atomic Red Team’s framework to allow for repeatability and curated and collected the AWS Cloudtrail datasets, and provide you with detection queries to help you  uncover these potentially malicious events. 

Since privilege escalation typically happens after exploitation, we made a few assumptions as we developed and simulated these detections:

  • We assumed the attacker has already gained access to leaked AWS credentials (Access key and Secret key), allowing them to programmatically interact with AWS. 
  • We assumed the victim has either full access to the AWS services, or enough permissions to allow an attacker to escalate their privileges and expand their access.  
     

Important Disclaimers

  • Because MITRE ATT&CK Cloud is actively being modified, we will wait to commit our new Atomics to Atomic Red Team until it is normalized. Interested in checking it out in the meantime? Please take a look at our fork of Atomic Red Team, with more updates to come.
  • We are also actively working on upgrading Cloud Attack Range to support simulating AWS attack atomics using Atomic Red Team.
     

Here Are a Few Examples of Our Detection Searches:

Name

Technique ID

Tactic(s)

Note

AWS Create Policy Version to allow all resources

T1078.004

Privilege Escalation, Persistence

This query identifies a new policy created to allow “all” access to resources, which can include normal administrative activity as well as malicious activity. 

AWS SetDefaultPolicyVersion

T1078.004

Privilege Escalation, Persistence

This query detects users who set default policy versions.

AWS CreateAccessKey

T1136.003

Privilege Escalation, Persistence

This query detects creation of access keys for other users.

AWS CreateLoginProfile

T1136.003

Privilege Escalation, Persistence

This query detects creation of login profile and console login events from the same source IP address. 

AWS UpdateLoginProfile

T1136.003

Privilege Escalation, Persistence

This query detects API calls when a new password is set for another user.

 


Why Should You Care?

The information security  community has observed an increase in cloud-based attacks, including major breaches. Common to most of these incidents is a mix of leaked credentials and IAM policy misconfigurations. Rhino Security has published an excellent blog highlighting numerous ways in which AWS credentials get compromised. The recent Capital One breach is one of the best examples to show how damaging misconfiguration of IAM policies can be.

This is why  monitoring Cloudtrail logs for specific events that lead to AWS privilege escalation is crucial in order for defenders to stay on top of these threats. 

For a full list of security content, check out the release notes on Splunk Docs:

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. All of these detections are also now available via push update in Splunk Security Essentials

Feedback

Any feedback or requests? Feel free to put in an Issue on Github and we’ll follow up. You can also  join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.


About the Splunk Threat Research Team

The Splunk Threat Research Team is devoted to understanding bad actor behavior and researching known threats to build detections that the entire Splunk community can benefit from. They build and open-source tools like the Splunk Cloud Attack Range that analyze threats and actors and use these tools to create attack data sets. From these data sets, new detections that can be shared with the Splunk community under Splunk Security Content and consumed by various Splunk products like Splunk Enterprise Security, Splunk Security Essentials and Splunk Mission Control to help customers quickly and effectively find known threats.

Contributors

We would like to thank the Splunk Threat Research Team for their contributions to this post, and for developing new tools. We’d also like to thank all of the community contributors who provided feedback and helped generate new security content.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS

AWS IAM Privilege Escalation - Threat Research Release March 2021

Show All Tags
Show Less Tags

Join the Discussion