AWSCloudTrail - IAM Assume Role Brute Force

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Identify repeated failed AssumeRole attempts against existing IAM roles, which may indicate privilege escalation or lateral movement using a compromised identity.

Attribute	Value
Type	Hunting Query
Solution	Amazon Web Services
ID	`2b8cecfe-f705-432d-9f38-08207b9473e1`
Severity	High
Tactics	CredentialAccess, PrivilegeEscalation
Techniques	T1110.001, T1098.003
Required Connectors	AWS
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`AWSCloudTrail`	`ErrorMessage == "AccessDenied"` `EventName == "AssumeRole"`	✓	✓	✓

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries · Back to Amazon Web Services