Techniques
Sample rules
AWS STS Role Assumption by Service
- source: elastic
- technicques:
- T1548
- T1550
Description
Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "sts.amazonaws.com"
and event.action: "AssumeRole"
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: "AWSService"
and not aws.cloudtrail.user_identity.invoked_by: (
"config.amazonaws.com" or
"securityhub.amazonaws.com" or
"sso.amazonaws.com"
)
AWS STS Role Assumption by User
- source: elastic
- technicques:
- T1548
- T1550
Description
Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "sts.amazonaws.com"
and event.action: "AssumeRole"
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser")