role chaining can be used as an access control. ensure that this behavior is not part of a legitimate operation before taking action.

t1548
t1550
aws
elastic

Techniques

T1548
T1550

Sample rules

AWS STS Role Chaining

source: elastic
technicques:
- T1548
- T1550

Description

Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API. While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges. Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration. This is a new terms rule that looks for the first occurance of one role (aws.cloudtrail.user_identity.session_context.session_issuer.arn) assuming another (aws.cloudtrail.resources.arn).

Detection logic

    event.dataset : "aws.cloudtrail" and 
    event.provider : "sts.amazonaws.com" and 
    event.action : "AssumeRole" and 
    aws.cloudtrail.user_identity.type : "AssumedRole" and 
    event.outcome : "success"