Techniques
Sample rules
aws detect sts get session token abuse
- source: splunk
- technicques:
- T1550
Description
This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.
Detection logic
`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser
| spath eventName
| search eventName=GetSessionToken
| table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region
| `aws_detect_sts_get_session_token_abuse_filter`