AWS STS GetSessionToken Abuse

calendar Apr 16, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Use Case: Identity and Access Audit Tactic: Privilege Escalation  ·
Share on: linkedin copy

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["aws"]
 4maturity = "production"
 5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
 6min_stack_version = "8.9.0"
 7updated_date = "2024/04/14"
 8
 9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and
13escalate privileges.
14"""
15false_positives = [
16    """
17    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent,
18    and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should
19    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
20    """,
21]
22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS STS GetSessionToken Abuse"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"]
30risk_score = 21
31rule_id = "b45ab1d2-712f-4f01-a751-df3826969807"
32severity = "low"
33tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services",  "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and
39aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1548"
47name = "Abuse Elevation Control Mechanism"
48reference = "https://attack.mitre.org/techniques/T1548/"
49
50
51[rule.threat.tactic]
52id = "TA0004"
53name = "Privilege Escalation"
54reference = "https://attack.mitre.org/tactics/TA0004/"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1550"
59name = "Use Alternate Authentication Material"
60reference = "https://attack.mitre.org/techniques/T1550/"
61[[rule.threat.technique.subtechnique]]
62id = "T1550.001"
63name = "Application Access Token"
64reference = "https://attack.mitre.org/techniques/T1550/001/"
65
66
67
68[rule.threat.tactic]
69id = "TA0008"
70name = "Lateral Movement"
71reference = "https://attack.mitre.org/tactics/TA0008/"

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • GetSessionToken - AWS Security Token Service

    Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2


    Read More

Related rules

to-top