Name:aws detect sts assume role abuse id:8e565314-b6a2-46d8-9f05-1a34a176a662 version:3 date:2024-10-17 author:Rod Soto, Splunk status:experimental type:Hunting Description:The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, focusing on specific fields like source IP address, user ARN, and role names. This activity is significant because attackers can use assumed roles to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive resources, execute code, or further entrench themselves within the environment, leading to potential data breaches or service disruptions. Data_source:
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs known_false_positives:Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse. References: drilldown_searches:
: tags: analytic_story: - 'AWS Cross Account Activity' asset_type:AWS Account confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1078' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'user_type' - 'userIdentity.sessionContext.sessionIssuer.type' - 'sourceIPAddress' - 'userIdentity.arn' - 'user_agent' - 'user_access_key' - 'status' - 'action' - 'requestParameters.roleName' - 'esponseElements.role.roleName' - 'esponseElements.role.createDate' risk_score:25 security_domain:threat
