AWS Suspicious SAML Activity

calendar Oct 23, 2025 · attack.defense-evasion attack.initial-access attack.lateral-movement attack.persistence attack.privilege-escalation attack.t1078 attack.t1548 attack.t1550 attack.t1550.001  ·
Share on: linkedin copy

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Sigma rule (View on GitHub)

 1title: AWS Suspicious SAML Activity
 2id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
 3status: test
 4description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
 5references:
 6    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
 7    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
 8author: Austin Songer
 9date: 2021-09-22
10modified: 2022-12-18
11tags:
12    - attack.defense-evasion
13    - attack.initial-access
14    - attack.lateral-movement
15    - attack.persistence
16    - attack.privilege-escalation
17    - attack.t1078
18    - attack.t1548
19    - attack.t1550
20    - attack.t1550.001
21logsource:
22    product: aws
23    service: cloudtrail
24detection:
25    selection_sts:
26        eventSource: 'sts.amazonaws.com'
27        eventName: 'AssumeRoleWithSAML'
28    selection_iam:
29        eventSource: 'iam.amazonaws.com'
30        eventName: 'UpdateSAMLProvider'
31    condition: 1 of selection_*
32falsepositives:
33    - Automated processes that uses Terraform may lead to false positives.
34    - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
35    - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
36level: medium

References

  • UpdateSAMLProvider - AWS Identity and Access Management

    Updates the metadata document, SAML encryption settings, and private keys for an existing SAML provider. To rotate private keys, add your new private key and then remove the old key in a separate request.


    Read More

  • AssumeRoleWithSAML - AWS Security Token Service

    Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of


    Read More

Related rules

to-top