sts:getsessiontoken can be very noisy as in certain environments numerous calls of this type can be executed. this search can be adjusted to provide specific values to identify cases of abuse. in specific environments the use of field requestparameters.serialnumber will need to be used.

t1550
aws account
splunk

Techniques

T1550

Sample rules

aws detect sts get session token abuse

source: splunk
technicques:
- T1550

Description

This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

Detection logic

`aws_cloudwatchlogs_eks` ASIA  userIdentity.type=IAMUser
| spath eventName 
| search eventName=GetSessionToken 
| table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region 
| `aws_detect_sts_get_session_token_abuse_filter`