getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.

t1021
t1021.007
t1550
t1550.001
aws
sigma

Techniques

t1021
t1021.007
t1550
t1550.001

Sample rules

AWS Console GetSigninToken Potential Abuse

source: sigma
technicques:
- t1021
- t1021.007
- t1550
- t1550.001

Description

Detects potentially suspicious events involving “GetSigninToken”. An adversary using the “aws_consoler” tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_console_ua:
  userAgent|contains: Jersey/${project.version}
selection:
  eventName: GetSigninToken
  eventSource: signin.amazonaws.com