AWS STS GetSessionToken Misuse

calendar Oct 23, 2025 · attack.lateral-movement attack.privilege-escalation attack.defense-evasion attack.t1548 attack.t1550 attack.t1550.001  ·
Share on: linkedin copy

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Sigma rule (View on GitHub)

 1title: AWS STS GetSessionToken Misuse
 2id: b45ab1d2-712f-4f01-a751-df3826969807
 3status: test
 4description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
 5references:
 6    - https://github.com/elastic/detection-rules/pull/1213
 7    - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
 8author: Austin Songer @austinsonger
 9date: 2021-07-24
10modified: 2022-10-09
11tags:
12    - attack.lateral-movement
13    - attack.privilege-escalation
14    - attack.defense-evasion
15    - attack.t1548
16    - attack.t1550
17    - attack.t1550.001
18logsource:
19    product: aws
20    service: cloudtrail
21detection:
22    selection:
23        eventSource: sts.amazonaws.com
24        eventName: GetSessionToken
25        userIdentity.type: IAMUser
26    condition: selection
27falsepositives:
28    - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
29level: low

References

Related rules

to-top