From bea71784db3aa043a200b051a7744263d7d85d44 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 16 Apr 2025 12:09:51 -0400 Subject: [PATCH 1/3] adding new rule 'AWS STS Temporary IAM Session Token Used from Multiple Addresses' --- ...on_token_used_from_multiple_addresses.toml | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml new file mode 100644 index 00000000000..f3eca8186a8 --- /dev/null +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -0,0 +1,120 @@ +[metadata] +creation_date = "2025/04/11" +integration = ["aws"] +maturity = "production" +updated_date = "2025/04/11" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a single IAM user's temporary session token is used from multiple IP addresses within a short +time frame. This behavior may indicate that an adversary has stolen temporary credentials and is using them from a +different location. +""" +false_positives = [ + """ + Highly distributed environments (e.g., globally deployed automation or edge nodes) may cause a single IAM user to + appear from multiple IPs. Review the geolocation and automation context to rule out benign use. + """, +] +from = "now-15m" +language = "esql" +license = "Elastic License v2" +name = "AWS STS Temporary IAM Session Token Used from Multiple Addresses" +note = """## Triage and Analysis + +### Investigating AWS STS Temporary IAM Session Token Used from Multiple Addresses + +Temporary session tokens (typically starting with 'ASIA') are expected to be short-lived and bound to a single user session. Usage from multiple IP addresses may indicate the token was stolen and used elsewhere. + +#### Possible Investigation Steps + +- **Identify the IAM User**: Examine `aws.cloudtrail.user_identity.arn` and correlate with `source.ip` to determine how widely the token was used. +- **Check Recent MFA Events**: Determine whether the user recently enabled MFA, registered devices, or assumed a role using this token. +- **Review Workload Context**: Confirm whether the user was expected to be active in multiple regions or environments. +- **Trace Adversary Movement**: Pivot to related actions (e.g., `s3:ListBuckets`, `iam:ListUsers`, `sts:GetCallerIdentity`) to track further enumeration. + +### False Positive Analysis + +- Automation frameworks that rotate through multiple IPs or cloud functions with dynamic egress IPs may cause this alert to fire. +- Confirm geolocation and workload context before escalating. + +### Response and Remediation + +- **Revoke the Token**: Disable or rotate the IAM credentials and invalidate the temporary session token. +- **Audit the Environment**: Look for signs of lateral movement or data access during the token's validity. +- **Strengthen Controls**: Require MFA for high-privilege actions, restrict access via policy conditions (e.g., IP range or device). + +### References + +- [STS Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +- [Using MFA with Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +- [AWS Threat Detection Use Cases](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) +""" +references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"] +risk_score = 47 +rule_id = "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Data Source: AWS CloudTrail", + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail* metadata _id, _version, _index +| where + + // filter on CloudTrail logs for STS temporary session tokens used by IAM users + event.dataset == "aws.cloudtrail" + and aws.cloudtrail.user_identity.arn is not null + and aws.cloudtrail.user_identity.type == "IAMUser" + and source.ip is not null + + // exclude known benign IaC tools and automation frameworks + and not ( + user_agent.original LIKE "%Terraform%" + or user_agent.original LIKE "%Ansible%" + or user_agent.original LIKE "%Pulumni%" + ) + + // filter for ASIA in tokens, indicating temporary session tokens + and starts_with(aws.cloudtrail.user_identity.access_key_id, "ASIA") + + // create a time window for aggregation +| eval time_window = DATE_TRUNC(1 hours, @timestamp) +| keep source.ip, aws.cloudtrail.user_identity.arn + +// aggregate unique source IPs per user within the time window +| stats source.ip.list = VALUES(source.ip), address_api_request_count = count_distinct(source.ip) by aws.cloudtrail.user_identity.arn + +// filter for users with multiple unique source IPs in the time window +| where address_api_request_count >= 2 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + From 9b23c6e8708ae36a7f2c23ffaeebd9a5215d6a23 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 16 Apr 2025 12:24:38 -0400 Subject: [PATCH 2/3] updating rule assets --- ...cess_iam_session_token_used_from_multiple_addresses.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml index f3eca8186a8..68c5730cb10 100644 --- a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -17,7 +17,7 @@ false_positives = [ appear from multiple IPs. Review the geolocation and automation context to rule out benign use. """, ] -from = "now-15m" +from = "now-30m" language = "esql" license = "Elastic License v2" name = "AWS STS Temporary IAM Session Token Used from Multiple Addresses" @@ -75,7 +75,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index // filter on CloudTrail logs for STS temporary session tokens used by IAM users event.dataset == "aws.cloudtrail" and aws.cloudtrail.user_identity.arn is not null - and aws.cloudtrail.user_identity.type == "IAMUser" + and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole") and source.ip is not null // exclude known benign IaC tools and automation frameworks @@ -89,7 +89,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index and starts_with(aws.cloudtrail.user_identity.access_key_id, "ASIA") // create a time window for aggregation -| eval time_window = DATE_TRUNC(1 hours, @timestamp) +| eval time_window = DATE_TRUNC(30 minutes, @timestamp) | keep source.ip, aws.cloudtrail.user_identity.arn // aggregate unique source IPs per user within the time window From 44a2f4c41aa1482ec545f0391040e254c29a8d80 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 16 Apr 2025 14:20:14 -0400 Subject: [PATCH 3/3] updating mitre mapping --- ...l_access_iam_session_token_used_from_multiple_addresses.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml index 68c5730cb10..c1a1f0b0648 100644 --- a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -116,5 +116,5 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +reference = "https://attack.mitre.org/tactics/TA0001/"