LoFP / this is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary.

Techniques

• T1021
• T1550

Sample rules

AWS EC2 Instance Console Login via Assumed Role

• source: elastic
• technicques:
  • T1021
  • T1550

Description

Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern “i-” which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful ConsoleLogin or GetSigninToken API call.

Detection logic

any where event.dataset == "aws.cloudtrail"
   and event.provider == "signin.amazonaws.com"
   and event.action in ("ConsoleLogin", "GetSigninToken") 
   and event.outcome == "success"
   and aws.cloudtrail.user_identity.type == "AssumedRole"
   and stringContains (user.id, ":i-")