diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml deleted file mode 100644 index 992421cf839..00000000000 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ /dev/null @@ -1,113 +0,0 @@ -[metadata] -creation_date = "2021/05/17" -integration = ["aws"] -maturity = "production" -updated_date = "2025/01/15" - -[rule] -author = ["Austin Songer"] -description = """ -Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and -escalate privileges. -""" -false_positives = [ - """ - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should - be investigated. If known behavior is causing false positives, it can be exempted from the rule. - """, -] -index = ["filebeat-*", "logs-aws.cloudtrail-*"] -language = "kuery" -license = "Elastic License v2" -name = "AWS STS GetSessionToken Abuse" -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating AWS STS GetSessionToken Abuse - -AWS Security Token Service (STS) provides temporary credentials for AWS resources, crucial for managing access without long-term credentials. Adversaries may exploit GetSessionToken to create temporary credentials, enabling lateral movement and privilege escalation. The detection rule identifies successful GetSessionToken requests by IAM users, flagging potential misuse for further investigation. - -### Possible investigation steps - -- Review the CloudTrail logs for the specific GetSessionToken event to gather details about the IAM user involved, including the time of the request and the source IP address. -- Check the IAM user's activity history to identify any unusual patterns or deviations from their normal behavior, such as accessing resources they typically do not use. -- Investigate the source IP address from which the GetSessionToken request originated to determine if it is associated with known malicious activity or if it is an unexpected location for the user. -- Examine the permissions and roles associated with the temporary credentials issued by the GetSessionToken request to assess the potential impact of their misuse. -- Correlate the GetSessionToken event with other security events or alerts in the same timeframe to identify any related suspicious activities or potential indicators of compromise. - -### False positive analysis - -- Routine administrative tasks by IAM users can trigger GetSessionToken requests. To manage this, identify and whitelist IAM users or roles that regularly perform these tasks as part of their job functions. -- Automated scripts or applications that use GetSessionToken for legitimate purposes may cause false positives. Review and document these scripts, then create exceptions for their activity in the detection rule. -- Scheduled jobs or services that require temporary credentials for periodic tasks might be flagged. Ensure these are documented and excluded from alerts by adjusting the rule to recognize their specific patterns. -- Development and testing environments often generate GetSessionToken requests during normal operations. Consider excluding these environments from the rule or adjusting the risk score to reflect their lower threat level. -- Cross-account access scenarios where users from one account access resources in another using temporary credentials can appear suspicious. Verify these access patterns and exclude them if they are part of regular operations. - -### Response and remediation - -- Immediately revoke the temporary credentials associated with the suspicious GetSessionToken request to prevent further unauthorized access. -- Conduct a thorough review of the IAM user's activity logs to identify any unauthorized actions or access patterns that may indicate lateral movement or privilege escalation. -- Isolate any affected resources or accounts to contain potential threats and prevent further exploitation. -- Reset the credentials of the IAM user involved and enforce multi-factor authentication (MFA) to enhance security. -- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. -- Implement additional monitoring and alerting for unusual GetSessionToken requests to detect similar activities in the future. -- Review and tighten IAM policies and permissions to ensure the principle of least privilege is enforced, reducing the risk of privilege escalation. - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"] -risk_score = 21 -rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" -severity = "low" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and -aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" - - -[rule.threat.tactic] -id = "TA0004" -name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" -[[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" - - - -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml new file mode 100644 index 00000000000..39bc5a78dcd --- /dev/null +++ b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -0,0 +1,139 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2021/05/17" +integration = ["aws"] +maturity = "production" +updated_date = "2025/11/03" + +[rule] +author = ["Austin Songer", "Elastic"] +building_block_type = "default" +description = """ +Identifies the use of GetSessionToken API calls by IAM users or Root Account. While this is a common and legitimate +operation used to obtain temporary credentials, it also provides adversaries with a method to generate short-lived +tokens for stealthy activity. Attackers who compromise IAM user access keys may call GetSessionToken to create temporary +credentials, which they can then use to move laterally, escalate privileges, or persist after key rotation. This rule is +intended as a BBR to establish patterns of typical STS usage and support correlation with higher-fidelity detections. +""" +false_positives = [ + """ + GetSessionToken is widely used by legitimate automation, CLI users, and administrative scripts to acquire temporary + credentials. Frequent, authorized usage is expected in most environments, especially where IAM users authenticate + with MFA or use short-lived tokens. Review IAM and CI/CD users, SDKs, and service accounts that regularly perform + this action and document them in an allowlist. Suppress or tune accordingly to reduce noise. + """, +] +from = "now-6m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS STS GetSessionToken Usage" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating AWS STS GetSessionToken Usage + +AWS Security Token Service (STS) provides temporary credentials for AWS resources, crucial for managing access without long-term credentials. Adversaries may exploit `GetSessionToken` to create temporary credentials, enabling lateral movement and privilege escalation. The detection rule identifies successful `GetSessionToken` requests, flagging potential misuse for further investigation. + +#### Possible investigation steps +- **Establish normal baseline behavior** + - Use this rule’s data to determine which IAM users or automation scripts routinely perform `GetSessionToken`. + - Monitor frequency, regions, and user agents (CLI, SDK, console) for each identity over time. + +- **Identify anomalies** + - Look for first-time or rare `GetSessionToken` usage by an IAM user. + - Detect tokens issued without MFA when MFA is normally required. + - Identify new or unexpected source IPs, geographies, or user agents (e.g., API calls from unfamiliar networks). + - Check for multiple temporary tokens minted in rapid succession by the same user or access key. + +- **Correlate with downstream activity** + - Search for immediate follow-on events within 15 minutes of token creation: + - `AssumeRole` into higher-privileged roles or cross-account roles. + - Privileged API calls (e.g., `iam:*`, `s3:PutBucketPolicy`, `ec2:CreateSnapshot`). + - New region access, resource enumeration, or credential operations (`GetCallerIdentity`, `ListUsers`, etc.). + - Use this correlation to elevate contextual `GetSessionToken` behavior into actionable detections. + +### Usage Notes +- This rule’s telemetry can support hunting queries such as: + - `GetSessionToken` without `TokenCode` (no MFA) + - New IP + `GetSessionToken` + `AssumeRole` + - Rapid token issuance followed by API activity from a new ASN + +Use these patterns in combination with related BBRs or detection rules for `AssumeRole` abuse, cross-account access, +or credential pivoting for more reliable threat detection. +""" +references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"] +risk_score = 21 +rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Rule Type: BBR", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: aws.cloudtrail + and event.provider: sts.amazonaws.com + and event.action: GetSessionToken + and event.outcome: success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] +