[New Rule] AWS STS GetSessionToken Abuse (#1213)

* Update impact_iam_deactivate_mfa_device.toml #1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "*ipapi.co", "*ip-lookup.net", "*ipstack.com" * Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_getsessiontoken_abuse.toml * Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update .gitignore Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update privilege_escalation_sts_getsessiontoken_abuse.toml * Update * Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit 93b8038)
elastic · Sep 22, 2021 · 03ac44e · 03ac44e
1 parent e6673cd
commit 03ac44e
Showing 1 changed file with 71 additions and 0 deletions.
diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
@@ -0,0 +1,71 @@
+[metadata]
+creation_date = "2021/05/17"
+maturity = "production"
+updated_date = "2021/07/24"
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and 
+escalate privileges.
+"""
+false_positives = [
+    """
+    GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user 
+    agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or 
+    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+index = ["filebeat-*", "logs-aws*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS STS GetSessionToken Abuse"
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html",
+]
+
+risk_score = 21
+rule_id = "b45ab1d2-712f-4f01-a751-df3826969807"
+severity = "low"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and 
+aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"