AWS STS Temporary Credentials via AssumeRole
Identifies when a user has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/07/23"
6
7
8[rule]
9author = ["Elastic", "Austin Songer"]
10description = """
11Identifies when a user has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain
12temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege
13escalation.
14"""
15false_positives = [
16 "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.",
17 "Applications integrated with AWS might assume roles to access AWS resources.",
18 """
19 Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.
20 """,
21]
22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS STS Temporary Credentials via AssumeRole"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
30risk_score = 21
31rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
32severity = "low"
33tags = [
34 "Domain: Cloud",
35 "Data Source: AWS",
36 "Data Source: Amazon Web Services",
37 "Data Source: AWS STS",
38 "Use Case: Identity and Access Audit",
39 "Tactic: Privilege Escalation",
40]
41timestamp_override = "event.ingested"
42type = "new_terms"
43
44query = '''
45event.dataset:aws.cloudtrail
46 and event.provider:sts.amazonaws.com
47 and event.action:AssumeRole*
48 and event.outcome:success
49 and user.id:*
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1548"
57name = "Abuse Elevation Control Mechanism"
58reference = "https://attack.mitre.org/techniques/T1548/"
59
60
61[rule.threat.tactic]
62id = "TA0004"
63name = "Privilege Escalation"
64reference = "https://attack.mitre.org/tactics/TA0004/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1550"
69name = "Use Alternate Authentication Material"
70reference = "https://attack.mitre.org/techniques/T1550/"
71[[rule.threat.technique.subtechnique]]
72id = "T1550.001"
73name = "Application Access Token"
74reference = "https://attack.mitre.org/techniques/T1550/001/"
75
76
77
78[rule.threat.tactic]
79id = "TA0008"
80name = "Lateral Movement"
81reference = "https://attack.mitre.org/tactics/TA0008/"
82
83[rule.new_terms]
84field = "new_terms_fields"
85value = ["user.id", "aws.cloudtrail.flattened.request_parameters.roleArn"]
86[[rule.new_terms.history_window_start]]
87field = "history_window_start"
88value = "now-10d"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS IAM Assume Role Policy Update
- AWS STS GetSessionToken Abuse
- AWS IAM SAML Provider Updated
- AWS EC2 Instance Console Login via Assumed Role
- AWS EC2 Instance Interaction with IAM Service