LoFP / assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

• t1548
• t1550
• t1550.001

Sample rules

AWS STS AssumeRole Misuse

• source: sigma
• technicques:
  • t1548
  • t1550
  • t1550.001

Description

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Detection logic

condition: selection
selection:
  userIdentity.sessionContext.sessionIssuer.type: Role
  userIdentity.type: AssumedRole