LoFP / aws administrators or automated processes might regularly assume roles for legitimate administrative purposes.

• T1548
• T1550
• T1556

Sample rules

AWS STS Role Assumption by Service

• source: elastic
• technicques:
  • T1548
  • T1550

Description

Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRole"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "AWSService"
    and not aws.cloudtrail.user_identity.invoked_by: (
              "config.amazonaws.com" or
              "securityhub.amazonaws.com" or
              "sso.amazonaws.com"
            )

AWS STS Role Assumption by User

• source: elastic
• technicques:
  • T1548
  • T1550

Description

Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRole"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser")

AWS STS AssumeRole with New MFA Device

• source: elastic
• technicques:
  • T1548
  • T1550
  • T1556

Description

Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation.

Detection logic

event.dataset:aws.cloudtrail
    and event.provider:sts.amazonaws.com
    and event.action:(AssumeRole or AssumeRoleWithSAML or AssumeRoleWithWebIdentity)
    and event.outcome:success
    and user.id:* 
    and aws.cloudtrail.flattened.request_parameters.serialNumber:*