Techniques
Sample rules
AWS Console GetSigninToken Potential Abuse
- source: sigma
- technicques:
- t1021
- t1021.007
- t1550
- t1550.001
Description
Detects potentially suspicious events involving “GetSigninToken”. An adversary using the “aws_consoler” tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_console_ua:
userAgent|contains: Jersey/${project.version}
selection:
eventName: GetSigninToken
eventSource: signin.amazonaws.com