AWSCloudTrail - Privilege escalation with admin managed policy

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Detects successful attachment of admin-related managed IAM policies to users, roles, or groups, excluding the dedicated AdministratorAccess and FullAccess patterns handled by other detections. This behavior may indicate unauthorized privilege escalation and should be validated against approved administrative changes.

Attribute	Value
Type	Analytic Rule
Solution	Amazon Web Services
ID	49ce5322-60d7-4b02-ad79-99f650aa5790
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	PrivilegeEscalation, Persistence
Techniques	T1098.003
Required Connectors	AWS
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy"	✓	✓	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Amazon Web Services