aws services might assume root to access aws resources as part of their standard operations.

t1098
t1548
aws
elastic

Techniques

T1098
T1548

Sample rules

AWS STS AssumeRoot by Rare User and Member Account

source: elastic
technicques:
- T1098
- T1548

Description

Identifies when the STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries who have compromised user credentials can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role against a specific member account.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRoot"
    and event.outcome: "success"