Navigation :

AWS Detect Sts Assume Role Abuse

Description

This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
Wizard Spider
menuPass

Data Sources

AWS
Audit Trail

   Help

AWS Detect Sts Assume Role Abuse Help

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs

   Search

`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`
Open in Search