Skip to main content

Suspicious use of AWS APIs indicating privilege escalation

ID:aws_privilege_escalation_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0004:T1078.004

Description

AlphaSOC detected AWS API calls indicating potential privilege escalation activities. In AWS Identity and Access Management (IAM), users operate under specific roles, groups, and policies that control their access to resources. Threat actors commonly exploit IAM vulnerabilities or misconfigurations to elevate their privileges and gain unauthorized access to sensitive assets.

Impact

Threat actors with elevated privileges can access sensitive data, modify or delete critical resources, launch new instances for malicious activities, and chain escalations to gain administrative control over the organization.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the associated API calls and identify the associated user or role. If unauthorized escalation is confirmed, take immediate action by revoking compromised credentials, resetting affected user passwords, and rotating any exposed access keys. Conduct a thorough impact assessment to identify all resources that may have been accessed or modified during the incident.

Known False Positives

  • Administrative activities requiring temporary privilege elevation
  • CI/CD pipelines using role assumption for authorized tasks
  • Applications attempting to access resources due to misconfiguration
  • Security or DevOps teams conducting authorized tests
  • AWS service-linked roles automatically assuming required permissions