Cloud-01-AWS-IAM-Privilege-Escalation-via-AttachUserPolicy

Detects AWS IAM AttachUserPolicy API calls, which can be used for privilege escalation or maintaining persistent access.

• MITRE ATT&CK: T1098.003 - Additional Cloud Credentials
• Demonstrates CloudTrail log to ASP Alert mapping, Artifact extraction, and Case aggregation

Log Source

Logs are generated by the Mock Plugin CloudGenerator, which produces simulated AWS CloudTrail logs.

Field descriptions can be found in siem-aws-cloudtrail.yaml.

Key Processing Logic

• Field Extraction: Extract operator identity from userIdentity, and target user and policy ARN from requestParameters
• Artifact: Operator (username/ARN/AccessKey), target user, source IP, policy ARN, account ID. Each Artifact is automatically enriched via CMDB
• Aggregation: Aggregate by [account, operator, target user] within 24h into the same Case
• Severity: Mapped from event.risk_score (>=90 Critical, >=70 High, >=40 Medium)
• Disposition: UnauthorizedOperation -> UNAUTHORIZED/DENIED, other errors -> ERROR, success -> DETECTED