AWS STS AssumeRoot by Rare User and Member Account
Identifies when the STS AssumeRoot
action is performed by a rare user in AWS. The AssumeRoot action allows users to
assume the root member account role, granting elevated but specific permissions based on the task policy specified.
Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to
escalate privileges and gain unauthorized access to AWS resources. This is a New
Terms rule that identifies
when the STS AssumeRoot
action is performed by a user that rarely assumes this role and specific member account.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/11/24"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/11/24"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when the STS `AssumeRoot` action is performed by a rare user in AWS. The AssumeRoot action allows users to
11assume the root member account role, granting elevated but specific permissions based on the task policy specified.
12Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to
13escalate privileges and gain unauthorized access to AWS resources. This is a [New
14Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies
15when the STS `AssumeRoot` action is performed by a user that rarely assumes this role and specific member account.
16"""
17false_positives = [
18 "AWS administrators or automated processes might regularly assume root for legitimate administrative purposes.",
19 "AWS services might assume root to access AWS resources as part of their standard operations.",
20 "Automated workflows might assume root to perform periodic administrative tasks.",
21]
22from = "now-9m"
23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "AWS STS AssumeRoot by Rare User and Member Account"
27note = """
28## Triage and Analysis
29
30### Investigating AWS STS AssumeRoot by Rare User and Member Account
31
32This rule identifies instances where AWS STS (Security Token Service) is used to assume a root role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.
33
34#### Possible Investigation Steps
35
36- **Identify the Actor and Assumed Role**:
37 - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRoot` action.
38 - **Account Context**: Check the `aws.cloudtrail.recipient_account_id` field for the account affected by the action. This is likely the management account.
39 - **Authentication**: If available, review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used for the action. This key may be compromised in the case of unauthorized activity.
40 - **Resources**: Inspect `aws.cloudtrail.resources.type` and `aws.cloudtrail.resources.arn` to determine the resource or role assumed. This is the member account where the root role was assumed.
41
42- **Analyze Request Parameters**:
43 - **Session Details**: Check `aws.cloudtrail.flattened.request_parameters.durationSeconds` for session duration.
44 - **Permissions**: Review `aws.cloudtrail.flattened.request_parameters.taskPolicyArn` for the associated policy. These policies are predefined and grant specific permissions to the assumed root account.
45 - **Target Entity**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPrincipal` field for the entity being accessed. This is typically the member account.
46 - **Target Policy**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPolicyArn` field for the policy applied to temporary root credentials. This can help determine the scope of the permissions granted.
47
48- **Examine Response Details**:
49 - **Credentials Issued**: Review `aws.cloudtrail.flattened.response_elements.credentials` to confirm credentials were issued and note their expiration (`expiration` field). The temporary access key can be used to pivot into other actions done by the assumed root account by searching for the value in `aws.cloudtrail.user_identity.access_key_id`.
50
51- **Inspect Source Details**:
52 - **Source IP and Location**: Evaluate `source.address` and `source.geo` fields to confirm the request's origin. Unusual locations might indicate unauthorized activity.
53 - **User Agent**: Analyze `user_agent.original` to determine the tool or application used (e.g., AWS CLI, SDK, or custom tooling).
54
55- **Correlate with Related Events**:
56 - **Concurrent Events**: Look for surrounding CloudTrail events that indicate follow-up actions, such as access to sensitive resources or privilege escalation attempts.
57 - **Historical Activity**: Review historical activity for the `aws.cloudtrail.user_identity.arn` to determine if this action is anomalous.
58
59- **Evaluate Privilege Escalation Risk**:
60 - **Role Privileges**: Inspect the privileges granted by the assumed role or task policy (`aws.cloudtrail.flattened.request_parameters.taskPolicyArn`).
61 - **Operational Context**: Confirm whether the action aligns with routine operations or is unusual.
62
63### False Positive Analysis
64
65- **Authorized Administrative Activity**:
66 - Verify if the activity was initiated by an AWS administrator for legitimate purposes.
67- **Automated Workflows**:
68 - Identify if the action was part of an automated process or workflow.
69
70### Response and Remediation
71
721. **Revoke Unauthorized Credentials**:
73 - If malicious activity is identified, immediately revoke the session tokens and access keys associated with the `AssumeRoot` action.
74 - It may be worth removing the compromised access key from the affected user or service account.
752. **Enhance Monitoring**:
76 - Increase the monitoring frequency for sensitive roles and actions, especially `AssumeRoot`.
773. **Review IAM Policies**:
78 - Limit permissions for accounts or roles to assume root and enforce multi-factor authentication (MFA) where applicable.
794. **Contain and Investigate**:
80 - Isolate affected accounts or roles and follow incident response procedures to determine the scope and impact of the activity.
81
82### Additional Information
83
84For more information on AssumeRoot, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html).
85"""
86references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html"]
87risk_score = 21
88rule_id = "962a71ae-aac9-11ef-9348-f661ea17fbce"
89severity = "low"
90tags = [
91 "Domain: Cloud",
92 "Data Source: AWS",
93 "Data Source: Amazon Web Services",
94 "Data Source: AWS STS",
95 "Resources: Investigation Guide",
96 "Use Case: Identity and Access Audit",
97 "Tactic: Privilege Escalation",
98]
99timestamp_override = "event.ingested"
100type = "new_terms"
101
102query = '''
103event.dataset: "aws.cloudtrail"
104 and event.provider: "sts.amazonaws.com"
105 and event.action: "AssumeRoot"
106 and event.outcome: "success"
107'''
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1548"
114name = "Abuse Elevation Control Mechanism"
115reference = "https://attack.mitre.org/techniques/T1548/"
116[[rule.threat.technique.subtechnique]]
117id = "T1548.005"
118name = "Temporary Elevated Cloud Access"
119reference = "https://attack.mitre.org/techniques/T1548/005/"
120
121
122
123[rule.threat.tactic]
124id = "TA0004"
125name = "Privilege Escalation"
126reference = "https://attack.mitre.org/tactics/TA0004/"
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129[[rule.threat.technique]]
130id = "T1098"
131name = "Account Manipulation"
132reference = "https://attack.mitre.org/techniques/T1098/"
133[[rule.threat.technique.subtechnique]]
134id = "T1098.003"
135name = "Additional Cloud Roles"
136reference = "https://attack.mitre.org/techniques/T1098/003/"
137
138
139
140[rule.threat.tactic]
141id = "TA0003"
142name = "Persistence"
143reference = "https://attack.mitre.org/tactics/TA0003/"
144
145[rule.investigation_fields]
146field_names = [
147 "@timestamp",
148 "aws.cloudtrail.user_identity.type",
149 "aws.cloudtrail.user_identity.arn",
150 "aws.cloudtrail.user_identity.access_key_id",
151 "source.address",
152 "aws.cloudtrail.resources.account_id",
153 "aws.cloudtrail.recipient_account_id",
154 "aws.cloudtrail.flattened.request_parameters",
155 "event.action",
156 "event.outcome",
157 "aws.cloudtrail.flattened.request_parameters.taskPolicyArn",
158 "cloud.region",
159 "aws.cloudtrail.request_parameters",
160 "aws.cloudtrail.response_elements",
161]
162
163[rule.new_terms]
164field = "new_terms_fields"
165value = ["aws.cloudtrail.user_identity.arn", "aws.cloudtrail.resources.account_id"]
166[[rule.new_terms.history_window_start]]
167field = "history_window_start"
168value = "now-10d"
Triage and Analysis
Investigating AWS STS AssumeRoot by Rare User and Member Account
This rule identifies instances where AWS STS (Security Token Service) is used to assume a root role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.
Possible Investigation Steps
-
Identify the Actor and Assumed Role:
- User Identity: Review the
aws.cloudtrail.user_identity.arn
andaws.cloudtrail.user_identity.type
fields to determine who initiated theAssumeRoot
action. - Account Context: Check the
aws.cloudtrail.recipient_account_id
field for the account affected by the action. This is likely the management account. - Authentication: If available, review the
aws.cloudtrail.user_identity.access_key_id
to identify the access key used for the action. This key may be compromised in the case of unauthorized activity. - Resources: Inspect
aws.cloudtrail.resources.type
andaws.cloudtrail.resources.arn
to determine the resource or role assumed. This is the member account where the root role was assumed.
- User Identity: Review the
-
Analyze Request Parameters:
- Session Details: Check
aws.cloudtrail.flattened.request_parameters.durationSeconds
for session duration. - Permissions: Review
aws.cloudtrail.flattened.request_parameters.taskPolicyArn
for the associated policy. These policies are predefined and grant specific permissions to the assumed root account. - Target Entity: Inspect the
aws.cloudtrail.flattened.request_parameters.targetPrincipal
field for the entity being accessed. This is typically the member account. - Target Policy: Inspect the
aws.cloudtrail.flattened.request_parameters.targetPolicyArn
field for the policy applied to temporary root credentials. This can help determine the scope of the permissions granted.
- Session Details: Check
-
Examine Response Details:
- Credentials Issued: Review
aws.cloudtrail.flattened.response_elements.credentials
to confirm credentials were issued and note their expiration (expiration
field). The temporary access key can be used to pivot into other actions done by the assumed root account by searching for the value inaws.cloudtrail.user_identity.access_key_id
.
- Credentials Issued: Review
-
Inspect Source Details:
- Source IP and Location: Evaluate
source.address
andsource.geo
fields to confirm the request's origin. Unusual locations might indicate unauthorized activity. - User Agent: Analyze
user_agent.original
to determine the tool or application used (e.g., AWS CLI, SDK, or custom tooling).
- Source IP and Location: Evaluate
-
Correlate with Related Events:
- Concurrent Events: Look for surrounding CloudTrail events that indicate follow-up actions, such as access to sensitive resources or privilege escalation attempts.
- Historical Activity: Review historical activity for the
aws.cloudtrail.user_identity.arn
to determine if this action is anomalous.
-
Evaluate Privilege Escalation Risk:
- Role Privileges: Inspect the privileges granted by the assumed role or task policy (
aws.cloudtrail.flattened.request_parameters.taskPolicyArn
). - Operational Context: Confirm whether the action aligns with routine operations or is unusual.
- Role Privileges: Inspect the privileges granted by the assumed role or task policy (
False Positive Analysis
- Authorized Administrative Activity:
- Verify if the activity was initiated by an AWS administrator for legitimate purposes.
- Automated Workflows:
- Identify if the action was part of an automated process or workflow.
Response and Remediation
- Revoke Unauthorized Credentials:
- If malicious activity is identified, immediately revoke the session tokens and access keys associated with the
AssumeRoot
action. - It may be worth removing the compromised access key from the affected user or service account.
- If malicious activity is identified, immediately revoke the session tokens and access keys associated with the
- Enhance Monitoring:
- Increase the monitoring frequency for sensitive roles and actions, especially
AssumeRoot
.
- Increase the monitoring frequency for sensitive roles and actions, especially
- Review IAM Policies:
- Limit permissions for accounts or roles to assume root and enforce multi-factor authentication (MFA) where applicable.
- Contain and Investigate:
- Isolate affected accounts or roles and follow incident response procedures to determine the scope and impact of the activity.
Additional Information
For more information on AssumeRoot, refer to the AWS STS documentation.
References
Related rules
- AWS STS Role Assumption by Service
- AWS STS Role Assumption by User
- AWS IAM Assume Role Policy Update
- AWS IAM AdministratorAccess Policy Attached to User
- AWS IAM Customer-Managed Policy Attached to Role by Rare User