First Occurrence of STS GetFederationToken Request by User
Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken
request made by a user
within the last 10 days. The GetFederationToken
API call allows users to request temporary security credentials to
access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not
normally have access to.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/19"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/08/19"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the first occurrence of an AWS Security Token Service (STS) `GetFederationToken` request made by a user
11within the last 10 days. The `GetFederationToken` API call allows users to request temporary security credentials to
12access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not
13normally have access to.
14"""
15from = "now-9m"
16index = ["filebeat-*", "logs-aws.cloudtrail-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "First Occurrence of STS GetFederationToken Request by User"
20references = [
21 "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/"
22]
23risk_score = 21
24rule_id = "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce"
25severity = "low"
26tags = [
27 "Domain: Cloud",
28 "Data Source: Amazon Web Services",
29 "Data Source: AWS",
30 "Data Source: AWS STS",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33]
34timestamp_override = "event.ingested"
35type = "new_terms"
36
37query = '''
38event.dataset: "aws.cloudtrail"
39 and event.provider: sts.amazonaws.com
40 and event.action: GetFederationToken
41'''
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1550"
47name = "Use Alternate Authentication Material"
48reference = "https://attack.mitre.org/techniques/T1550/"
49[[rule.threat.technique.subtechnique]]
50id = "T1550.001"
51name = "Application Access Token"
52reference = "https://attack.mitre.org/techniques/T1550/001/"
53
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"
59
60[rule.new_terms]
61field = "new_terms_fields"
62value = ["aws.cloudtrail.user_identity.arn"]
63[[rule.new_terms.history_window_start]]
64field = "history_window_start"
65value = "now-10d"
References
Related rules
- Insecure AWS EC2 VPC Security Group Ingress Rule Added
- AWS RDS DB Instance Made Public
- AWS RDS DB Instance or Cluster Password Modified
- AWS S3 Object Versioning Suspended
- AWS EC2 Instance Console Login via Assumed Role