AWS IAM Session Token Used From Multiple Addresses
Compromised AWS IAM session tokens are used from multiple IP addresses, networks, cities, and user agents within a short timeframe, indicating potential credential theft and abuse.
This rule identifies potentially suspicious activity within AWS environments by detecting instances where a single IAM user's temporary session token is accessed from multiple IP addresses within a 30-minute window. This activity may indicate that an attacker has compromised temporary credentials and is utilizing them from various locations. The rule enhances detection accuracy and minimizes false positives by incorporating criteria that evaluate unique IP addresses, user agents, cities, and networks. Detected activities are classified into different types based on the combination of unique indicators, with each classification assigned a fidelity score. The rule excludes console login sessions to reduce false positives from legitimate console-based access across VPN or network changes.
Attack Chain
- An attacker obtains an AWS IAM user's temporary session token through methods such as phishing, malware, or credential harvesting.
- The attacker uses the compromised session token to make API requests to AWS services.
- The attacker attempts to enumerate AWS resources to identify potential targets, such as S3 buckets or EC2 instances (e.g.,
s3:ListBuckets,iam:ListUsers). - The attacker leverages the stolen credentials to access AWS resources from different IP addresses, potentially using different user agents and originating from diverse geographical locations.
- The AWS CloudTrail logs record API calls made using the compromised session token, including the source IP address, user agent, and accessed resources.
- The detection rule identifies the use of the same session token from multiple IP addresses, networks, cities and user agents within a 30-minute timeframe.
- The attacker attempts to move laterally within the AWS environment, escalating privileges or accessing sensitive data.
- The attacker achieves their final objective, such as data exfiltration, service disruption, or resource compromise.
Impact
A successful attack can lead to unauthorized access to sensitive data stored in AWS resources, such as S3 buckets or databases. This can result in data breaches, financial losses, and reputational damage. The rule helps in early detection of compromised credentials, allowing security teams to respond quickly and prevent further damage. Depending on the IAM user's permissions, the impact could range from reading sensitive data to modifying infrastructure configurations.
Recommendation
- Deploy the provided Sigma rule to your SIEM and tune the
IpListCountandTimeFrameparameters to match your environment's baseline activity. - Investigate alerts generated by the Sigma rule by examining the
aws.cloudtrail.user_identity.arn,source.ips, anduser_agent.originalfields in the logs. - Revoke the compromised IAM session token immediately upon detection to prevent further unauthorized access.
- Implement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise, as recommended in the rule's documentation.
- Monitor AWS CloudTrail logs for unusual API activity and access patterns, focusing on events associated with the compromised IAM user.
- Strengthen access controls by implementing policy conditions based on IP ranges or device identification.
Detection coverage 2
AWS IAM Session Token Used From Multiple IPs
mediumDetects the use of an AWS IAM session token from multiple distinct IP addresses within a defined timeframe, indicating potential credential compromise.
AWS IAM User Agent Diversity
lowDetects diverse user agents used to access the same AWS IAM identity within a short time frame.
Detection queries are available on the platform. Get full rules →