AWS Suspicious SAML Activity

calendar Aug 12, 2024 · attack.initial-access attack.t1078 attack.lateral-movement attack.t1548 attack.privilege-escalation attack.t1550 attack.t1550.001  ·
Share on: linkedin copy

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Sigma rule (View on GitHub)

 1title: AWS Suspicious SAML Activity
 2id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
 3status: test
 4description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
 5references:
 6    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
 7    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
 8author: Austin Songer
 9date: 2021-09-22
10modified: 2022-12-18
11tags:
12    - attack.initial-access
13    - attack.t1078
14    - attack.lateral-movement
15    - attack.t1548
16    - attack.privilege-escalation
17    - attack.t1550
18    - attack.t1550.001
19logsource:
20    product: aws
21    service: cloudtrail
22detection:
23    selection_sts:
24        eventSource: 'sts.amazonaws.com'
25        eventName: 'AssumeRoleWithSAML'
26    selection_iam:
27        eventSource: 'iam.amazonaws.com'
28        eventName: 'UpdateSAMLProvider'
29    condition: 1 of selection_*
30falsepositives:
31    - Automated processes that uses Terraform may lead to false positives.
32    - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
33    - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
34level: medium

References

Related rules

to-top