security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml
T
Isai 25545b5802 [Rule Tunings] AWS New Terms History Window Reduction (#5479) 
I reduced the history window for new terms rules that were either:
- `now-14 days`
- showing slow performance metrics

There are still several AWS rules with a `now-10d` window but they are not showing any performance issues so I'd like to leave them as is for now.

First Time Seen AWS Secret Value Accessed in Secrets Manager
- removed `BatchGetSecretValue` API call since this calls `GetSecretValue`
- removed the user_agent exclusions from this one, too easy to bypass.

AWS EC2 User Data Retrieval for EC2 Instance
- excluded more benign AWS services from telemetry

AWS IAM Assume Role Policy Update
- removed use of cloudformation exclusion, this should be captured as well
2025-12-18 11:47:59 -05:00

155 lines
6.8 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2024/11/05"
integration = ["aws"]
maturity = "production"
updated_date = "2025/12/16"
[rule]
author = ["Elastic"]
description = """
Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain
temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege
escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS)
to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for
unauthorized access, privilege escalation, or lateral movement within an AWS environment.
"""
false_positives = [
"""
AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.
Applications integrated with AWS might assume roles to access AWS resources. Automated workflows might assume roles
to perform periodic tasks such as data backups, updates, or deployments.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS STS Role Assumption by User"
note = """## Triage and analysis
### Investigating AWS STS Role Assumption by User
This rule detects when a user assumes a role in AWS Security Token Service (STS), receiving temporary credentials to access AWS resources. While often used for legitimate purposes, this action can be leveraged by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.
#### Possible Investigation Steps
- **Identify the User and Assumed Role**:
- **User Identity**: Check `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` for details about the initiator of the `AssumeRole` action.
- **Role Assumed**: Review `aws.cloudtrail.resources.arn` to confirm the role assumed and ensure it aligns with the users standard permissions.
- **Session Name**: Note `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the purpose of the session.
- **Expiration Time**: Use `aws.cloudtrail.flattened.response_elements.credentials.expiration` to confirm the credential expiration.
- **Inspect User Agent and Source Information**:
- **User Agent**: Analyze the `user_agent.original` field to identify if specific tooling or SDKs like AWS CLI, Boto3, or custom agents were used.
- **Source IP and Geolocation**: Examine `source.ip` and `source.geo` fields to determine the origin of the request, confirming if it aligns with expected locations.
- **Correlate with Related Events**:
- **Identify Patterns**: Review related CloudTrail events for unusual access patterns, such as resource access or sensitive actions following this `AssumeRole` action.
- **Filter High-Volume Roles**: If this role or user has a high volume of access, evaluate `roleArn` or `user_agent` values for common patterns and add trusted entities as exceptions.
- **Review the Privileges of the Assumed Role**:
- **Permissions**: Examine permissions associated with the `roleArn` to assess its access scope.
- **Authorized Usage**: Confirm if the role is used frequently for administrative purposes and if this aligns with the users regular responsibilities.
### False Positive Analysis
- **Automated Processes and Applications**: Applications or scheduled tasks may assume roles regularly for operational purposes. Validate the consistency of the `user_agent` or `roleArn` with known automated workflows.
- **Standard IAM Policy Usage**: Confirm if the user or application routinely assumes new roles for normal operations by reviewing historical activity.
### Response and Remediation
- **Terminate Unauthorized Sessions**: If the role assumption is deemed unauthorized, revoke the session by modifying IAM policies or the permissions associated with the assumed role.
- **Strengthen Monitoring and Alerts**: Implement additional monitoring for specific high-risk roles, especially those with elevated permissions.
- **Regularly Manage Exceptions**: Regularly review high-volume roles and user agent patterns to refine alerts, minimizing noise by adding trusted patterns as exceptions.
- **Incident Response**: If confirmed as malicious, follow incident response protocols for containment, investigation, and remediation.
### Additional Information
For more details on managing and securing AWS STS in your environment, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).
"""
references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
risk_score = 21
rule_id = "288a198e-9b9b-11ef-a0a8-f661ea17fbcd"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS STS",
"Resources: Investigation Guide",
"Use Case: Identity and Access Audit",
"Tactic: Privilege Escalation",
"Tactic: Lateral Movement",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset: "aws.cloudtrail"
and event.provider: "sts.amazonaws.com"
and event.action: "AssumeRole"
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
[[rule.threat.technique.subtechnique]]
id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"aws.cloudtrail.resources.arn",
"aws.cloudtrail.resources.type",
"aws.cloudtrail.flattened.request_parameters.roleSessionName",
"aws.cloudtrail.flattened.response_elements.credentials.accessKeyId",
"cloud.region",
"cloud.account.id",
"aws.cloudtrail.request_parameters",
"aws.cloudtrail.response_elements",
]
[rule.new_terms]
field = "new_terms_fields"
value = ["cloud.account.id", "user.name", "aws.cloudtrail.resources.arn"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-5d"
Reference in New Issue View Git Blame Copy Permalink