Name:aws detect sts get session token abuse id:85d7b35f-b8b5-4b01-916f-29b81e7a0551 version:3 date:2024-10-17 author:Rod Soto, Splunk status:experimental type:Hunting Description:The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, focusing on fields such as source IP address, event time, user identity, and status. This activity is significant because attackers can use these tokens to move laterally within the AWS environment and escalate privileges. If confirmed malicious, this could lead to unauthorized access and control over AWS resources, potentially compromising sensitive data and critical infrastructure. Data_source:
search:`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser| spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`
how_to_implement:You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs known_false_positives:Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used. References: drilldown_searches:
: tags: analytic_story: - 'AWS Cross Account Activity' asset_type:AWS Account confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1550' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'userIdentity.type' - 'eventName' - 'sourceIPAddress' - 'eventTime' - 'userIdentity.arn' - 'userName' - 'userAgent' - 'user_type' - 'status' - 'region' risk_score:25 security_domain:threat
