AWS STS GetSessionToken Abuse

calendar May 22, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Use Case: Identity and Access Audit Tactic: Privilege Escalation  ·
Share on: linkedin copy

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and
11escalate privileges.
12"""
13false_positives = [
14    """
15    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent,
16    and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should
17    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18    """,
19]
20index = ["filebeat-*", "logs-aws.cloudtrail-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "AWS STS GetSessionToken Abuse"
24note = """## Setup
25
26The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"]
28risk_score = 21
29rule_id = "b45ab1d2-712f-4f01-a751-df3826969807"
30severity = "low"
31tags = [
32    "Domain: Cloud",
33    "Data Source: AWS",
34    "Data Source: Amazon Web Services",
35    "Data Source: AWS STS",
36    "Use Case: Identity and Access Audit",
37    "Tactic: Privilege Escalation",
38]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and
44aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1548"
52name = "Abuse Elevation Control Mechanism"
53reference = "https://attack.mitre.org/techniques/T1548/"
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1550"
64name = "Use Alternate Authentication Material"
65reference = "https://attack.mitre.org/techniques/T1550/"
66[[rule.threat.technique.subtechnique]]
67id = "T1550.001"
68name = "Application Access Token"
69reference = "https://attack.mitre.org/techniques/T1550/001/"
70
71
72
73[rule.threat.tactic]
74id = "TA0008"
75name = "Lateral Movement"
76reference = "https://attack.mitre.org/tactics/TA0008/"

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • GetSessionToken - AWS Security Token Service

    Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2


    Read More

Related rules

to-top