Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] AWS STS GetSessionToken Abuse #1152

Closed
austinsonger opened this issue Apr 26, 2021 · 4 comments · Fixed by #1213
Closed

[New Rule] AWS STS GetSessionToken Abuse #1152

austinsonger opened this issue Apr 26, 2021 · 4 comments · Fixed by #1213
Labels
community Rule: New Proposal for new rule

Comments

@austinsonger
Copy link
Contributor

austinsonger commented Apr 26, 2021
edited
Loading

Description

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Required Info

Target indexes

filebeat-*, logs-aws*

Platforms

AWS Cloudtrail

Optional Info

Query

event.dataset:aws.cloudtrail and 
event.provider:sts.amazonaws.com and 
event.action:GetSessionToken and aws.cloudtrail.user_identity.type:IAMUser and
event.outcome:success

event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success

What is the user type for just a plain IAM user?

New fields required in ECS/data sources for this rule?

Related issues or PRs

False Positives

MITRE

Tactic Technique ID Technique Name Sub-Technique Name
Privilege Escalation T1548 Abuse Elevation Control Mechanism
Lateral Movement T1550 Use Alternate Authentication Material Application Access Token

lateral_movement_sts_getsessiontoken_abuse.toml

References

Tags

Elastic,Cloud,AWS,Continuous Monitoring, SecOps,Identity and Access

Example Data
@austinsonger austinsonger added the Rule: New Proposal for new rule label Apr 26, 2021
@austinsonger
Copy link
Contributor Author

Added #955 to the issues that related.

@austinsonger austinsonger changed the title [New Rule][Draft] AWS Detects STS GetSessionToken Abuse [New Rule][Draft] AWS STS GetSessionToken Abuse Apr 26, 2021
@austinsonger austinsonger changed the title [New Rule][Draft] AWS STS GetSessionToken Abuse [New Rule] AWS STS GetSessionToken Abuse Apr 26, 2021
@austinsonger
Copy link
Contributor Author

Working on a branch right now and will create a pull request when completed.

@austinsonger austinsonger mentioned this issue May 17, 2021
Merged
@botelastic
Copy link

botelastic bot commented Aug 25, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Aug 25, 2021
@brokensound77
Copy link
Collaborator

open PR in review

@botelastic botelastic bot removed the stale 60 days of inactivity label Aug 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[New Rule] AWS STS GetSessionToken Abuse austinsonger/detection-rules
3 participants
@brokensound77 @austinsonger @bm11100