From 6b8cd1f0f1d222dcffa95394b4cbcec2a05137a0 Mon Sep 17 00:00:00 2001
From: clebron23 <88591929+clebron23@users.noreply.github.com>
Date: Mon, 26 Feb 2024 15:27:22 -0600
Subject: [PATCH] Merge PR #4734 from @clebron23 - Add new AWS rule related to
 `GetSigninToken` abuse

new: AWS Console GetSigninToken Potential Abuse

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../cloudtrail/aws_console_getsignintoken.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml

diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml
new file mode 100644
index 000000000..8e70b1e85
--- /dev/null
+++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml
@@ -0,0 +1,28 @@
+title: AWS Console GetSigninToken Potential Abuse
+id: f8103686-e3e8-46f3-be72-65f7fcb4aa53
+status: experimental
+description: |
+    Detects potentially suspicious events involving "GetSigninToken".
+    An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
+references:
+    - https://github.com/NetSPI/aws_consoler
+    - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
+author: Chester Le Bron (@123Le_Bron)
+date: 2024/02/26
+tags:
+    - attack.lateral_movement
+    - attack.t1021.007
+    - attack.t1550.001
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: 'signin.amazonaws.com'
+        eventName: 'GetSigninToken'
+    filter_main_console_ua:
+        userAgent|contains: 'Jersey/${project.version}'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.
+level: medium