This rule detects an action where a compromised IAM credential attempts to escalate privileges by attaching the highly permissive `AdministratorAccess` policy to an existing IAM role using the `AttachRolePolicy` API operation. During operations in AWS environments, attackers with access to credentials may aim to gain broader access, thereby allowing them administrative control over critical resources. The detection rule is implemented in ESQL and searches through AWS CloudTrail logs for successful `AttachRolePolicy` operations that involve the `AdministratorAccess` managed policy. Investigators are advised to perform careful verification of the user's identity, the legitimacy of the operation, and examine surrounding activities for any anomalies. This rule also includes guidance for investigation steps, potential false positive scenarios, and response measures in case of suspicious behavior.