AWS Security Token Service (STS) AssumeRole Usage

Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access
11AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
12"""
13false_positives = ["Automated processes that use Terraform may lead to false positives."]
14index = ["filebeat-*", "logs-aws.cloudtrail-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "AWS Security Token Service (STS) AssumeRole Usage"
18note = """## Setup
19
20The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
21references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
22risk_score = 21
23rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
24severity = "low"
25tags = [
26    "Domain: Cloud",
27    "Data Source: AWS",
28    "Data Source: Amazon Web Services",
29    "Data Source: AWS STS",
30    "Use Case: Identity and Access Audit",
31    "Tactic: Privilege Escalation",
32]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and
38aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1548"
46name = "Abuse Elevation Control Mechanism"
47reference = "https://attack.mitre.org/techniques/T1548/"
48
49
50[rule.threat.tactic]
51id = "TA0004"
52name = "Privilege Escalation"
53reference = "https://attack.mitre.org/tactics/TA0004/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1550"
58name = "Use Alternate Authentication Material"
59reference = "https://attack.mitre.org/techniques/T1550/"
60[[rule.threat.technique.subtechnique]]
61id = "T1550.001"
62name = "Application Access Token"
63reference = "https://attack.mitre.org/techniques/T1550/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0008"
69name = "Lateral Movement"
70reference = "https://attack.mitre.org/tactics/TA0008/"

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top