getsessiontoken may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. getsessiontoken from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1548
t1550
aws
elastic

t1548
t1550
t1550.001

Sample rules

AWS STS GetSessionToken Abuse

source: elastic
technicques:
- T1548
- T1550

Description

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Detection logic

event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and
aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success

AWS STS GetSessionToken Misuse

source: sigma
technicques:
- t1548
- t1550
- t1550.001

Description

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Detection logic

condition: selection
selection:
  eventName: GetSessionToken
  eventSource: sts.amazonaws.com
  userIdentity.type: IAMUser