LoFP / this is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary.

Techniques

• T1021
• T1078
• T1550
• T1552

Sample rules

AWS EC2 Instance Console Login via Assumed Role

• source: elastic
• technicques:
  • T1021
  • T1078
  • T1550
  • T1552

Description

Detects successful AWS Management Console or federation login activity performed using an EC2 instance’s assumed role credentials. EC2 instances typically use temporary credentials to make API calls, not to authenticate interactively via the console. A successful “ConsoleLogin” or “GetSigninToken” event using a session pattern that includes “i-” (the EC2 instance ID) is highly anomalous and may indicate that an adversary obtained the instance’s temporary credentials from the instance metadata service (IMDS) and used them to access the console. Such activity can enable lateral movement, privilege escalation, or persistence within the AWS account.

Detection logic

info where event.dataset == "aws.cloudtrail"
   and event.provider == "signin.amazonaws.com"
   and event.action in ("ConsoleLogin", "GetSigninToken")
   and event.outcome == "success"
   and aws.cloudtrail.user_identity.type == "AssumedRole"
   and stringContains (user.id, ":i-")