Techniques
Sample rules
aws detect sts assume role abuse
- source: splunk
- technicques:
- T1078
Description
This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.
Detection logic
`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role
| table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate
| `aws_detect_sts_assume_role_abuse_filter`