AWS Security Token Service (STS) AssumeRole Usage

calendar Apr 16, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Use Case: Identity and Access Audit Tactic: Privilege Escalation  ·
Share on: linkedin copy

Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["aws"]
 4maturity = "production"
 5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 6min_stack_version = "8.9.0"
 7updated_date = "2024/04/14"
 8
 9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access
13AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
14"""
15false_positives = ["Automated processes that use Terraform may lead to false positives."]
16index = ["filebeat-*", "logs-aws.cloudtrail-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "AWS Security Token Service (STS) AssumeRole Usage"
20note = """## Setup
21
22The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
24risk_score = 21
25rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
26severity = "low"
27tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and
33aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1548"
41name = "Abuse Elevation Control Mechanism"
42reference = "https://attack.mitre.org/techniques/T1548/"
43
44
45[rule.threat.tactic]
46id = "TA0004"
47name = "Privilege Escalation"
48reference = "https://attack.mitre.org/tactics/TA0004/"
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1550"
53name = "Use Alternate Authentication Material"
54reference = "https://attack.mitre.org/techniques/T1550/"
55[[rule.threat.technique.subtechnique]]
56id = "T1550.001"
57name = "Application Access Token"
58reference = "https://attack.mitre.org/techniques/T1550/001/"
59
60
61
62[rule.threat.tactic]
63id = "TA0008"
64name = "Lateral Movement"
65reference = "https://attack.mitre.org/tactics/TA0008/"

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • AssumeRole - AWS Security Token Service

    Returns a set of temporary security credentials that you can use to access AWS resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of


    Read More

Related rules

to-top