AWS Glue Development Endpoint Activity

 1title: AWS Glue Development Endpoint Activity
 2id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
 3status: test
 4description: Detects possible suspicious glue development endpoint activity.
 5references:
 6    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
 7    - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
 8author: Austin Songer @austinsonger
 9date: 2021/10/03
10modified: 2022/12/18
11tags:
12    - attack.privilege_escalation
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventSource: 'glue.amazonaws.com'
19        eventName:
20            - 'CreateDevEndpoint'
21            - 'DeleteDevEndpoint'
22            - 'UpdateDevEndpoint'
23    condition: selection
24falsepositives:
25    - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26    - If known behavior is causing false positives, it can be exempted from the rule.
27level: low

References

• AWS IAM Privilege Escalation – Methods and Mitigation

  At Rhino Security Labs, our focus is AWS penetration testing and AWS security research. This AWS IAM shows privilege escalation in AWS and other clouds.

  
  Read More

• CreateDevEndpoint - AWS Glue

  Creates a new development endpoint.

  
  Read More

Related rules

• Abused Debug Privilege by Arbitrary Parent Processes
• Always Install Elevated MSI Spawned Cmd And Powershell
• Azure Kubernetes CronJob
• DotNet CLR DLL Loaded By Scripting Applications
• HackTool - UACMe Akagi Execution