First Occurrence of STS GetFederationToken Request by User

Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user within the last 10 days. The GetFederationToken API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/19"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/08/19"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the first occurrence of an AWS Security Token Service (STS) `GetFederationToken` request made by a user
11within the last 10 days. The `GetFederationToken` API call allows users to request temporary security credentials to
12access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not
13normally have access to.
14"""
15from = "now-9m"
16index = ["filebeat-*", "logs-aws.cloudtrail-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "First Occurrence of STS GetFederationToken Request by User"
20references = [
21    "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/"
22]
23risk_score = 21
24rule_id = "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce"
25severity = "low"
26tags = [
27    "Domain: Cloud",
28    "Data Source: Amazon Web Services",
29    "Data Source: AWS",
30    "Data Source: AWS STS",
31    "Use Case: Threat Detection",
32    "Tactic: Defense Evasion",
33]
34timestamp_override = "event.ingested"
35type = "new_terms"
36
37query = '''
38event.dataset: "aws.cloudtrail"
39    and event.provider: sts.amazonaws.com
40    and event.action: GetFederationToken
41'''
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1550"
47name = "Use Alternate Authentication Material"
48reference = "https://attack.mitre.org/techniques/T1550/"
49[[rule.threat.technique.subtechnique]]
50id = "T1550.001"
51name = "Application Access Token"
52reference = "https://attack.mitre.org/techniques/T1550/001/"
53
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"
59
60[rule.new_terms]
61field = "new_terms_fields"
62value = ["aws.cloudtrail.user_identity.arn"]
63[[rule.new_terms.history_window_start]]
64field = "history_window_start"
65value = "now-10d"

References

Related rules

to-top