IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« AWS Security Token Service (STS) AssumeRole Usage AWS IAM Assume Role Policy Update »

› ›

AWS STS GetSessionToken Abuse

edit

AWS STS GetSessionToken Abuse

edit

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Rule type: query

Rule indices:

filebeat-*
logs-aws*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html

Tags:

Elastic
Cloud
AWS
Continuous Monitoring
SecOps
Identity and Access

Version: 4

Rule authors:

Austin Songer

Rule license: Elastic License v2

Investigation guide

edit

## Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and
aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Application Access Token
- ID: T1550.001
- Reference URL: https://attack.mitre.org/techniques/T1550/001/

« AWS Security Token Service (STS) AssumeRole Usage AWS IAM Assume Role Policy Update »