AWS STS GetSessionToken Misuse
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
Sigma rule (View on GitHub)
1title: AWS STS GetSessionToken Misuse
2id: b45ab1d2-712f-4f01-a751-df3826969807
3status: test
4description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
5references:
6 - https://github.com/elastic/detection-rules/pull/1213
7 - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
8author: Austin Songer @austinsonger
9date: 2021/07/24
10modified: 2022/10/09
11tags:
12 - attack.lateral_movement
13 - attack.privilege_escalation
14 - attack.t1548
15 - attack.t1550
16 - attack.t1550.001
17logsource:
18 product: aws
19 service: cloudtrail
20detection:
21 selection:
22 eventSource: sts.amazonaws.com
23 eventName: GetSessionToken
24 userIdentity.type: IAMUser
25 condition: selection
26falsepositives:
27 - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
28level: low
References
-
Issues Resolves #1152 Relates #955 Summary Contributor checklist Have you signed the contributor license agreement? Have you followed the contributor guidelines?
Read More -
Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS Suspicious SAML Activity
- COM Hijack via Sdclt
- Remote WMI ActiveScriptEventConsumers
- CobaltStrike Service Installations - System