attack.t1550.001

AWS Console GetSigninToken Potential Abuse

Oct 23, 2025 · attack.lateral-movement attack.defense-evasion attack.t1021.007 attack.t1550.001 ·

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

AWS STS AssumeRole Misuse

Oct 23, 2025 · attack.lateral-movement attack.privilege-escalation attack.defense-evasion attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

AWS STS GetSessionToken Misuse

Oct 23, 2025 · attack.lateral-movement attack.privilege-escalation attack.defense-evasion attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWS Suspicious SAML Activity

Oct 23, 2025 · attack.defense-evasion attack.initial-access attack.lateral-movement attack.persistence attack.privilege-escalation attack.t1078 attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.