AWS STS GetFederationToken Request for Defense Evasion and Persistence
Detection of the first AWS Security Token Service (STS) GetFederationToken request by a user, which adversaries can abuse to obtain temporary credentials for persistence and to bypass IAM API call limitations by gaining console access.
The AWS Security Token Service (STS) GetFederationToken API allows users to request temporary security credentials with a maximum expiration of 36 hours. These tokens can be used to create console sign-in tokens, even for identities that don't already have one. Attackers may exploit this API to gain persistent access to AWS resources, even after the initial compromised identity is revoked. This technique can also bypass IAM API call limitations, allowing adversaries to perform sensitive actions with temporary credentials. The detection of the first occurrence of this API call by a user can help identify potential misuse and unauthorized access attempts within AWS environments. Identifying anomalous GetFederationToken requests is crucial for detecting and responding to potential defense evasion and persistence tactics used by attackers.
Attack Chain
- Initial compromise of an AWS user identity or service account through credential theft or misconfiguration.
- The attacker leverages the compromised identity to call the
GetFederationTokenAPI. - The STS service issues temporary security credentials, including an access key, secret key, and session token.
- The attacker configures their tools or scripts to use these temporary credentials for subsequent AWS API calls.
- The attacker utilizes the temporary credentials to access AWS resources and perform actions that may be restricted by IAM policies on the original compromised identity.
- The attacker may also create a console sign-in token using the temporary credentials for console-based access to AWS resources.
- Even if the initial compromised identity is revoked or deleted, the temporary credentials remain valid for up to 36 hours, allowing the attacker to maintain access.
- The attacker uses the persistent access to perform actions such as data exfiltration, resource modification, or further lateral movement within the AWS environment.
Impact
Successful exploitation can lead to unauthorized access to sensitive AWS resources, data breaches, and potential disruption of services. The impact can be significant, as attackers can maintain access for up to 36 hours even after the initial compromised identity is revoked. This persistence allows attackers to perform a wide range of malicious activities, potentially affecting critical business operations and resulting in financial losses and reputational damage. Organizations in all sectors utilizing AWS are potentially vulnerable.
Recommendation
- Deploy the Sigma rule "AWS First Occurrence of STS GetFederationToken Request by User" to your SIEM to detect suspicious GetFederationToken requests.
- Investigate any alerts generated by the Sigma rule, focusing on unusual user behavior and unexpected request origins.
- Review the CloudTrail logs for the requesting user (
aws.cloudtrail.user_identity.arn) to verify if theGetFederationTokenrequest was legitimate. - Implement additional monitoring and alerting for
GetFederationTokenrequests, as mentioned in the overview. - Attach a policy that denies all actions, such as the
AWSDenyAllpolicy, to revoke privileges of compromised users.
Detection coverage 2
AWS STS GetFederationToken Request
mediumDetects AWS Security Token Service (STS) GetFederationToken requests.
AWS First Occurrence of STS GetFederationToken Request by User
mediumIdentifies the first occurrence of an AWS STS GetFederationToken request made by a user.
Detection queries are available on the platform. Get full rules →