AWS Identity Center Identity Provider Change

calendar Aug 12, 2024 · attack.persistence attack.t1556  ·
Share on: linkedin copy

Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.

Sigma rule (View on GitHub)

 1title: AWS Identity Center Identity Provider Change
 2id: d3adb3ef-b7e7-4003-9092-1924c797db35
 3status: test
 4description: |
 5    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
 6    A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.    
 7references:
 8    - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
 9    - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
10    - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
11author: Michael McIntyre @wtfender
12date: 2023-09-27
13tags:
14    - attack.persistence
15    - attack.t1556
16logsource:
17    product: aws
18    service: cloudtrail
19detection:
20    selection:
21        eventSource:
22            - 'sso-directory.amazonaws.com'
23            - 'sso.amazonaws.com'
24        eventName:
25            - 'AssociateDirectory'
26            - 'DisableExternalIdPConfigurationForDirectory'
27            - 'DisassociateDirectory'
28            - 'EnableExternalIdPConfigurationForDirectory'
29    condition: selection
30falsepositives:
31    - Authorized changes to the AWS account's identity provider
32level: high

References

Related rules

to-top