Cloud IAM Privilege Escalation
activeAttacker Type
HUMAN
Confidence
78%
Kill Chain
Privilege Escalation
Events
156
CRS Score
91
Elapsed
15m
EVENT TIMELINE
high13:35:00
Anomalous IAM API calls from developer workstation
critical13:35:15
iam:PassRole + lambda:CreateFunction escalation attempt
info13:35:30
CIE: Shadow IAM policies deployed
info13:36:00
Lambda execution sandboxed
ATTACK NARRATIVE
A sophisticated human operator gained initial access through a compromised developer workstation and is attempting privilege escalation within the AWS environment. The attacker has demonstrated knowledge of AWS IAM internals, attempting to chain iam:PassRole with lambda:CreateFunction for privilege escalation. The CIE has deployed shadow IAM policies that appear to grant escalated privileges but actually route all actions through a monitored sandbox. The attacker has executed 4 actions in the sandboxed environment, revealing their exfiltration targets.
Affected Assets
iam-role-dev-deploylambda-data-processors3-customer-data-prodec2-dev-workstation-07
Agent Layers Involved
cloudidentitydata
PREDICTED NEXT MOVES
01Create new IAM user with AdministratorAccess
02Attach policy to existing role for persistence
03Modify S3 bucket policies for data exfiltration
Pre-Blocked Paths
BLOCKEDCreate new IAM user with AdministratorAccess
BLOCKEDAttach policy to existing role for persistence
BLOCKEDModify S3 bucket policies for data exfiltration
COUNTER-ACTIONS EXECUTED
Deployed shadow IAM policies
13:35:30
Sandboxed lambda execution environment
13:36:00
Rotated all developer access keys
13:40:00