Techniques
Sample rules
AWS Suspicious SAML Activity
- source: sigma
- technicques:
- t1078
- t1548
- t1550
- t1550.001
Description
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Detection logic
condition: 1 of selection_*
selection_iam:
eventName: UpdateSAMLProvider
eventSource: iam.amazonaws.com
selection_sts:
eventName: AssumeRoleWithSAML
eventSource: sts.amazonaws.com
AWS STS AssumeRole Misuse
- source: sigma
- technicques:
- t1548
- t1550
- t1550.001
Description
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
Detection logic
condition: selection
selection:
userIdentity.sessionContext.sessionIssuer.type: Role
userIdentity.type: AssumedRole