Techniques
Sample rules
AWS Security Token Service (STS) AssumeRole Usage
- source: elastic
- technicques:
- T1548
- T1550
Description
Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.
Detection logic
event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and
aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success