automated workflows might assume root to perform periodic administrative tasks.

t1098
t1548
aws
elastic

Techniques

T1098
T1548

Sample rules

AWS STS AssumeRoot by Rare User and Member Account

source: elastic
technicques:
- T1098
- T1548

Description

Identifies when the STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role and specific member account.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRoot"
    and event.outcome: "success"