Techniques
Sample rules
AWS STS AssumeRoot by Rare User and Member Account
- source: elastic
- technicques:
- T1098
- T1548
Description
Identifies when the STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries who have compromised user credentials can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role against a specific member account.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "sts.amazonaws.com"
and event.action: "AssumeRoot"
and event.outcome: "success"