AWS Security Token Service (STS) AssumeRole Usage
Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/07/23"
6
7[rule]
8author = ["Austin Songer"]
9description = """
10Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access
11AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
12"""
13false_positives = ["Automated processes that use Terraform may lead to false positives."]
14index = ["filebeat-*", "logs-aws.cloudtrail-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "AWS Security Token Service (STS) AssumeRole Usage"
18note = """## Setup
19
20The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
21references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
22risk_score = 21
23rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
24severity = "low"
25tags = [
26 "Domain: Cloud",
27 "Data Source: AWS",
28 "Data Source: Amazon Web Services",
29 "Data Source: AWS STS",
30 "Use Case: Identity and Access Audit",
31 "Tactic: Privilege Escalation",
32]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and
38aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1548"
46name = "Abuse Elevation Control Mechanism"
47reference = "https://attack.mitre.org/techniques/T1548/"
48
49
50[rule.threat.tactic]
51id = "TA0004"
52name = "Privilege Escalation"
53reference = "https://attack.mitre.org/tactics/TA0004/"
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1550"
58name = "Use Alternate Authentication Material"
59reference = "https://attack.mitre.org/techniques/T1550/"
60[[rule.threat.technique.subtechnique]]
61id = "T1550.001"
62name = "Application Access Token"
63reference = "https://attack.mitre.org/techniques/T1550/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0008"
69name = "Lateral Movement"
70reference = "https://attack.mitre.org/tactics/TA0008/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS IAM Assume Role Policy Update
- AWS STS GetSessionToken Abuse
- AWS EC2 Instance Connect SSH Public Key Uploaded
- AWS IAM User Created Access Keys For Another User
- AWS IAM AdministratorAccess Policy Attached to Group