First Occurrence of STS GetFederationToken Request by User

Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user within the last 10 days. The GetFederationToken API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/19"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the first occurrence of an AWS Security Token Service (STS) `GetFederationToken` request made by a user
11within the last 10 days. The `GetFederationToken` API call allows users to request temporary security credentials to
12access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not
13normally have access to.
14"""
15from = "now-9m"
16index = ["filebeat-*", "logs-aws.cloudtrail-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "First Occurrence of STS GetFederationToken Request by User"
20references = [
21    "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/"
22]
23risk_score = 21
24rule_id = "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce"
25severity = "low"
26tags = [
27    "Domain: Cloud",
28    "Data Source: Amazon Web Services",
29    "Data Source: AWS",
30    "Data Source: AWS STS",
31    "Use Case: Threat Detection",
32    "Tactic: Defense Evasion",
33    "Resources: Investigation Guide",
34]
35timestamp_override = "event.ingested"
36type = "new_terms"
37
38query = '''
39event.dataset: "aws.cloudtrail"
40    and event.provider: sts.amazonaws.com
41    and event.action: GetFederationToken
42'''
43note = """## Triage and analysis
44
45> **Disclaimer**:
46> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
47
48### Investigating First Occurrence of STS GetFederationToken Request by User
49
50AWS Security Token Service (STS) enables users to request temporary credentials for accessing AWS resources. While beneficial for legitimate use, adversaries may exploit this to gain unauthorized access. The detection rule identifies unusual activity by flagging the first instance of a `GetFederationToken` request by a user within a 10-day window, helping to uncover potential misuse aimed at evading defenses.
51
52### Possible investigation steps
53
54- Review the specific user account associated with the GetFederationToken request to determine if the activity aligns with their typical behavior and role within the organization.
55- Examine the AWS CloudTrail logs for additional context around the time of the GetFederationToken request, looking for any other unusual or suspicious activities by the same user or related accounts.
56- Check the source IP address and geolocation of the GetFederationToken request to identify if it originates from an expected or unexpected location.
57- Investigate the resources accessed using the temporary credentials obtained from the GetFederationToken request to assess if there was any unauthorized or suspicious access.
58- Consult with the user or their manager to verify if the GetFederationToken request was legitimate and necessary for their work tasks.
59
60### False positive analysis
61
62- Routine administrative tasks by cloud administrators may trigger the rule if they are using `GetFederationToken` for legitimate purposes. To manage this, create exceptions for known administrative accounts that regularly perform these actions.
63- Automated scripts or applications that use `GetFederationToken` for legitimate operations might be flagged. Identify these scripts and exclude their associated user accounts from the rule to prevent unnecessary alerts.
64- Third-party services integrated with AWS that require temporary credentials might cause false positives. Review and whitelist these services if they are verified and trusted to avoid repeated alerts.
65- New employees or contractors accessing AWS resources for the first time may trigger the rule. Implement a process to verify their access requirements and exclude their accounts if their actions are deemed non-threatening.
66
67### Response and remediation
68
69- Immediately revoke the temporary credentials associated with the `GetFederationToken` request to prevent unauthorized access to AWS resources.
70- Review CloudTrail logs to identify any suspicious activities performed using the temporary credentials and assess the potential impact on AWS resources.
71- Isolate the affected user account by disabling it temporarily to prevent further unauthorized actions until a thorough investigation is completed.
72- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
73- Conduct a root cause analysis to determine how the `GetFederationToken` request was initiated and identify any potential security gaps or misconfigurations.
74- Implement additional monitoring and alerting for `GetFederationToken` requests to detect and respond to similar activities promptly in the future.
75- Review and update IAM policies and permissions to ensure that only authorized users have the ability to request temporary credentials, reducing the risk of misuse."""
76
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1550"
81name = "Use Alternate Authentication Material"
82reference = "https://attack.mitre.org/techniques/T1550/"
83[[rule.threat.technique.subtechnique]]
84id = "T1550.001"
85name = "Application Access Token"
86reference = "https://attack.mitre.org/techniques/T1550/001/"
87
88
89[rule.threat.tactic]
90id = "TA0005"
91name = "Defense Evasion"
92reference = "https://attack.mitre.org/tactics/TA0005/"
93
94[rule.new_terms]
95field = "new_terms_fields"
96value = ["aws.cloudtrail.user_identity.arn"]
97[[rule.new_terms.history_window_start]]
98field = "history_window_start"
99value = "now-10d"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

AWS Security Token Service (STS) enables users to request temporary credentials for accessing AWS resources. While beneficial for legitimate use, adversaries may exploit this to gain unauthorized access. The detection rule identifies unusual activity by flagging the first instance of a GetFederationToken request by a user within a 10-day window, helping to uncover potential misuse aimed at evading defenses.

  • Review the specific user account associated with the GetFederationToken request to determine if the activity aligns with their typical behavior and role within the organization.
  • Examine the AWS CloudTrail logs for additional context around the time of the GetFederationToken request, looking for any other unusual or suspicious activities by the same user or related accounts.
  • Check the source IP address and geolocation of the GetFederationToken request to identify if it originates from an expected or unexpected location.
  • Investigate the resources accessed using the temporary credentials obtained from the GetFederationToken request to assess if there was any unauthorized or suspicious access.
  • Consult with the user or their manager to verify if the GetFederationToken request was legitimate and necessary for their work tasks.
  • Routine administrative tasks by cloud administrators may trigger the rule if they are using GetFederationToken for legitimate purposes. To manage this, create exceptions for known administrative accounts that regularly perform these actions.
  • Automated scripts or applications that use GetFederationToken for legitimate operations might be flagged. Identify these scripts and exclude their associated user accounts from the rule to prevent unnecessary alerts.
  • Third-party services integrated with AWS that require temporary credentials might cause false positives. Review and whitelist these services if they are verified and trusted to avoid repeated alerts.
  • New employees or contractors accessing AWS resources for the first time may trigger the rule. Implement a process to verify their access requirements and exclude their accounts if their actions are deemed non-threatening.
  • Immediately revoke the temporary credentials associated with the GetFederationToken request to prevent unauthorized access to AWS resources.
  • Review CloudTrail logs to identify any suspicious activities performed using the temporary credentials and assess the potential impact on AWS resources.
  • Isolate the affected user account by disabling it temporarily to prevent further unauthorized actions until a thorough investigation is completed.
  • Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
  • Conduct a root cause analysis to determine how the GetFederationToken request was initiated and identify any potential security gaps or misconfigurations.
  • Implement additional monitoring and alerting for GetFederationToken requests to detect and respond to similar activities promptly in the future.
  • Review and update IAM policies and permissions to ensure that only authorized users have the ability to request temporary credentials, reducing the risk of misuse.

References

Related rules

to-top