AWS STS Role Chaining

 1[metadata]
 2creation_date = "2024/10/23"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/10/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API. 
11While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges. 
12Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
13This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.
14"""
15false_positives = [
16    """
17    Role chaining can be used as an access control. Ensure that this behavior is not part of a legitimate operation before taking action.
18    """,
19]
20from = "now-6m"
21language = "esql"
22license = "Elastic License v2"
23name = "AWS STS Role Chaining"
24note = """## Setup
25
26The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts",
29    "https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials",
30    "https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/",
31]
32risk_score = 47
33rule_id = "ba5a0b0c-b477-4729-a3dc-0147c2049cf1"
34severity = "medium"
35tags = [
36    "Domain: Cloud",
37    "Data Source: AWS",
38    "Data Source: Amazon Web Services",
39    "Data Source: AWS STS",
40    "Use Case: Threat Detection",
41    "Tactic: Persistence",
42    "Tactic: Privilege Escalation",
43    "Tactic: Lateral Movement",
44]
45timestamp_override = "event.ingested"
46type = "esql"
47
48query = '''
49from logs-aws.cloudtrail-* metadata _id, _version, _index
50
51// filter for AssumeRole API calls where access key id is a short term token beginning with ASIA
52| where event.dataset == "aws.cloudtrail" and event.provider == "sts.amazonaws.com" and event.action == "AssumeRole" and aws.cloudtrail.resources.account_id == aws.cloudtrail.recipient_account_id and aws.cloudtrail.user_identity.access_key_id like "ASIA*"
53
54// keep only the relevant fields
55| keep aws.cloudtrail.user_identity.arn, cloud.region, aws.cloudtrail.resources.account_id, aws.cloudtrail.recipient_account_id, aws.cloudtrail.user_identity.access_key_id
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1548"
63name = "Abuse Elevation Control Mechanism"
64reference = "https://attack.mitre.org/techniques/T1548/"
65
66
67[rule.threat.tactic]
68id = "TA0004"
69name = "Privilege Escalation"
70reference = "https://attack.mitre.org/tactics/TA0004/"
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1550"
75name = "Use Alternate Authentication Material"
76reference = "https://attack.mitre.org/techniques/T1550/"
77[[rule.threat.technique.subtechnique]]
78id = "T1550.001"
79name = "Application Access Token"
80reference = "https://attack.mitre.org/techniques/T1550/001/"
81
82
83[rule.threat.tactic]
84id = "TA0008"
85name = "Lateral Movement"
86reference = "https://attack.mitre.org/tactics/TA0008/"
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89
90[rule.threat.tactic]
91id = "TA0003"
92name = "Persistence"
93reference = "https://attack.mitre.org/tactics/TA0003/"