LoFP / aws services might assume roles to access aws resources as part of their standard operations.

Techniques

• T1548
• T1550

Sample rules

AWS STS Role Assumption by Service

• source: elastic
• technicques:
  • T1548
  • T1550

Description

Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRole"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "AWSService"
    and not aws.cloudtrail.user_identity.invoked_by: (
              "config.amazonaws.com" or
              "securityhub.amazonaws.com" or
              "sso.amazonaws.com"
            )