AWS STS AssumeRole with New MFA Device

  1[metadata]
  2creation_date = "2024/10/25"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/10/25"
  6
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). 
 12While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation.
 13"""
 14false_positives = [
 15    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes and to perform periodic tasks such as data backups, updates, or deployments.",
 16]
 17index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "AWS STS AssumeRole with New MFA Device"
 21note = """## Setup
 22
 23The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 24references = [
 25    "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html",
 26    "https://github.com/RhinoSecurityLabs/cloudgoat/blob/d5863b80afd082d853f2e8df1955c6393695a4da/scenarios/iam_privesc_by_key_rotation/README.md",
 27]
 28risk_score = 21
 29rule_id = "a22f566b-5b23-4412-880d-c6c957acd321"
 30severity = "low"
 31tags = [
 32    "Domain: Cloud",
 33    "Data Source: AWS",
 34    "Data Source: Amazon Web Services",
 35    "Data Source: AWS STS",
 36    "Use Case: Identity and Access Audit",
 37    "Tactic: Privilege Escalation",
 38    "Tactic: Persistence",
 39    "Tactic: Lateral Movement",
 40]
 41timestamp_override = "event.ingested"
 42type = "new_terms"
 43
 44query = '''
 45event.dataset:aws.cloudtrail
 46    and event.provider:sts.amazonaws.com
 47    and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity)
 48    and event.outcome:success
 49    and user.id:* 
 50    and aws.cloudtrail.flattened.request_parameters.serialNumber:*
 51'''
 52
 53
 54[[rule.threat]]
 55framework = "MITRE ATT&CK"
 56[[rule.threat.technique]]
 57id = "T1556"
 58name = "Modify Authentication Process"
 59reference = "https://attack.mitre.org/techniques/T1556/"
 60[[rule.threat.technique.subtechnique]]
 61id = "T1556.006"
 62name = "Multi-Factor Authentication"
 63reference = "https://attack.mitre.org/techniques/T1556/006/"
 64
 65
 66[rule.threat.tactic]
 67id = "TA0003"
 68name = "Persistence"
 69reference = "https://attack.mitre.org/tactics/TA0003/"
 70[[rule.threat]]
 71framework = "MITRE ATT&CK"
 72[[rule.threat.technique]]
 73id = "T1548"
 74name = "Abuse Elevation Control Mechanism"
 75reference = "https://attack.mitre.org/techniques/T1548/"
 76
 77
 78[rule.threat.tactic]
 79id = "TA0004"
 80name = "Privilege Escalation"
 81reference = "https://attack.mitre.org/tactics/TA0004/"
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1550"
 86name = "Use Alternate Authentication Material"
 87reference = "https://attack.mitre.org/techniques/T1550/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1550.001"
 90name = "Application Access Token"
 91reference = "https://attack.mitre.org/techniques/T1550/001/"
 92
 93
 94[rule.threat.tactic]
 95id = "TA0008"
 96name = "Lateral Movement"
 97reference = "https://attack.mitre.org/tactics/TA0008/"
 98
 99[rule.new_terms]
100field = "new_terms_fields"
101value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"]
102[[rule.new_terms.history_window_start]]
103field = "history_window_start"
104value = "now-10d"