-
Notifications
You must be signed in to change notification settings - Fork 461
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] AWS STS GetSessionToken Abuse #1152
Comments
Added #955 to the issues that related. |
Working on a branch right now and will create a pull request when completed. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
open PR in review |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
Required Info
Target indexes
filebeat-*, logs-aws*
Platforms
AWS Cloudtrail
Optional Info
Query
New fields required in ECS/data sources for this rule?
Related issues or PRs
False Positives
MITRE
lateral_movement_sts_getsessiontoken_abuse.toml
References
Tags
Elastic,Cloud,AWS,Continuous Monitoring, SecOps,Identity and Access
Example Data
The text was updated successfully, but these errors were encountered: