First Occurrence of STS GetFederationToken Request by User

edit

First Occurrence of STS GetFederationToken Request by User

edit

Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user within the last 10 days. The GetFederationToken API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to.

Rule type: new_terms

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/

Tags:

Domain: Cloud
Data Source: Amazon Web Services
Data Source: AWS
Data Source: AWS STS
Use Case: Threat Detection
Tactic: Defense Evasion

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.dataset: "aws.cloudtrail"
    and event.provider: sts.amazonaws.com
    and event.action: GetFederationToken

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Application Access Token
- ID: T1550.001
- Reference URL: https://attack.mitre.org/techniques/T1550/001/

« First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT) First Occurrence of User Agent For a GitHub Personal Access Token (PAT) »