AWS Suspect Privilege Escalation

AWS Suspect Privilege Escalation

Detection overview

Triggers

  • Credential was observed performing a set of unusual API requests that enumerate privileges, following which a modification of privileges was observed which may be indicative of a privilege escalation occurring within the environment.

Possible Root Causes

  • An attacker has attempted to escalate privileges within the environment.
  • An account misconfiguration has weakened IAM protections associated with resource authorizations.
  • A security service, administrator, or other automation completed these actions as part of normal environment operation.

Business Impact

  • Privilege escalation may indicate the presence of an adversary that is modifying permissions to progress towards an objective.
  • IT misconfigurations may act to increase the risk of impact to assets, data, or services.

Steps to Verify

  • Investigate the account context that made the change for other signs of malicious activity.
  • Validate that the modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Privilege Escalation

Possible root causes

Malicious Detection

Benign Detection

AWS Suspect Privilege Escalation

Example scenarios

AWS Suspect Privilege Escalation

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS Suspect Privilege Escalation

Steps to investigate

AWS Suspect Privilege Escalation

MITRE ATT&CK techniques covered

AWS Suspect Privilege Escalation

Related detections

No items found.

FAQs