mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
28 lines
1.1 KiB
YAML
28 lines
1.1 KiB
YAML
title: AWS STS AssumedRole Misuse
|
|
id: b45ab1d2-712f-4f01-a751-df3826969807
|
|
description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges.
|
|
author: Austin Songer
|
|
status: experimental
|
|
date: 2021/07/24
|
|
references:
|
|
- https://github.com/elastic/detection-rules/pull/1214
|
|
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
|
|
logsource:
|
|
service: cloudtrail
|
|
detection:
|
|
selection:
|
|
eventSource: sts.amazonaws.com
|
|
eventName: AssumedRole
|
|
userIdentity.sessionContext: Role
|
|
condition: selection
|
|
level: low
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.privilege_escalation
|
|
- attack.t1548
|
|
- attack.t1550
|
|
- attack.t1550.001
|
|
falsepositives:
|
|
- AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
- Automated processes that uses Terraform may lead to false positives.
|