Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies RemoveRoleFromInstanceProfile followed by AddRoleToInstanceProfile from the same source and identity, which may indicate privilege escalation by attaching a higher-privileged role to an instance profile. AWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Amazon Web Services |
| ID | e1a91db8-f2b3-4531-bff6-da133d4f4f1a |
| Tactics | PrivilegeEscalation |
| Techniques | T1098 |
| Required Connectors | AWS, AWSS3 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AWSCloudTrail |
EventName in "AddRoleToInstanceProfile,RemoveRoleFromInstanceProfile" |
✓ | ✓ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊