sts:getsessiontoken can be very noisy as in certain environments numerous calls of this type can be executed. this search can be adjusted to provide specific values to identify cases of abuse. in specific environments the use of field requestparameters.serialnumber will need to be used.

t1550
aws account
splunk

Techniques

T1550

Sample rules

aws detect sts get session token abuse

source: splunk
technicques:
- T1550

Description

The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure.

Detection logic

`aws_cloudwatchlogs_eks` ASIA  userIdentity.type=IAMUser
| spath eventName 
| search eventName=GetSessionToken 
| table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region 
| `aws_detect_sts_get_session_token_abuse_filter`