AWS Console GetSigninToken Potential Abuse
Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
Sigma rule (View on GitHub)
1title: AWS Console GetSigninToken Potential Abuse
2id: f8103686-e3e8-46f3-be72-65f7fcb4aa53
3status: experimental
4description: |
5 Detects potentially suspicious events involving "GetSigninToken".
6 An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
7references:
8 - https://github.com/NetSPI/aws_consoler
9 - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
10author: Chester Le Bron (@123Le_Bron)
11date: 2024/02/26
12tags:
13 - attack.lateral_movement
14 - attack.t1021.007
15 - attack.t1550.001
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 eventSource: 'signin.amazonaws.com'
22 eventName: 'GetSigninToken'
23 filter_main_console_ua:
24 userAgent|contains: 'Jersey/${project.version}'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.
28level: medium
References
-
GitHub - NetSPI/aws_consoler: A utility to convert your AWS CLI credentials into AWS console access.
A utility to convert your AWS CLI credentials into AWS console access. - NetSPI/aws_consoler
Read More -
CrowdStrike Services analyzes a recent intrusion campaign targeting telecom and business process outsourcing companies and shares how to defend against this attack.
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Password Provided In Command Line Of Net.EXE
- Bitbucket Global SSH Settings Changed