LoFP LoFP / aws services might assume root to access aws resources as part of their standard operations.

Techniques

Sample rules

AWS STS AssumeRoot by Rare User and Member Account

Description

Identifies when the STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role and specific member account.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRoot"
    and event.outcome: "success"