Skip to content
Threat Feed
medium advisory

AWS STS GetFederationToken Request for Defense Evasion and Persistence

Detection of the first AWS Security Token Service (STS) GetFederationToken request by a user, which adversaries can abuse to obtain temporary credentials for persistence and to bypass IAM API call limitations by gaining console access.

The AWS Security Token Service (STS) GetFederationToken API allows users to request temporary security credentials with a maximum expiration of 36 hours. These tokens can be used to create console sign-in tokens, even for identities that don't already have one. Attackers may exploit this API to gain persistent access to AWS resources, even after the initial compromised identity is revoked. This technique can also bypass IAM API call limitations, allowing adversaries to perform sensitive actions with temporary credentials. The detection of the first occurrence of this API call by a user can help identify potential misuse and unauthorized access attempts within AWS environments. Identifying anomalous GetFederationToken requests is crucial for detecting and responding to potential defense evasion and persistence tactics used by attackers.

Attack Chain

  1. Initial compromise of an AWS user identity or service account through credential theft or misconfiguration.
  2. The attacker leverages the compromised identity to call the GetFederationToken API.
  3. The STS service issues temporary security credentials, including an access key, secret key, and session token.
  4. The attacker configures their tools or scripts to use these temporary credentials for subsequent AWS API calls.
  5. The attacker utilizes the temporary credentials to access AWS resources and perform actions that may be restricted by IAM policies on the original compromised identity.
  6. The attacker may also create a console sign-in token using the temporary credentials for console-based access to AWS resources.
  7. Even if the initial compromised identity is revoked or deleted, the temporary credentials remain valid for up to 36 hours, allowing the attacker to maintain access.
  8. The attacker uses the persistent access to perform actions such as data exfiltration, resource modification, or further lateral movement within the AWS environment.

Impact

Successful exploitation can lead to unauthorized access to sensitive AWS resources, data breaches, and potential disruption of services. The impact can be significant, as attackers can maintain access for up to 36 hours even after the initial compromised identity is revoked. This persistence allows attackers to perform a wide range of malicious activities, potentially affecting critical business operations and resulting in financial losses and reputational damage. Organizations in all sectors utilizing AWS are potentially vulnerable.

Recommendation

  • Deploy the Sigma rule "AWS First Occurrence of STS GetFederationToken Request by User" to your SIEM to detect suspicious GetFederationToken requests.
  • Investigate any alerts generated by the Sigma rule, focusing on unusual user behavior and unexpected request origins.
  • Review the CloudTrail logs for the requesting user (aws.cloudtrail.user_identity.arn) to verify if the GetFederationToken request was legitimate.
  • Implement additional monitoring and alerting for GetFederationToken requests, as mentioned in the overview.
  • Attach a policy that denies all actions, such as the AWSDenyAll policy, to revoke privileges of compromised users.

Detection coverage 2

AWS STS GetFederationToken Request

medium

Detects AWS Security Token Service (STS) GetFederationToken requests.

sigma tactics: defense_evasion, persistence techniques: T1098.001, T1550.001 sources: cloudtrail, aws

AWS First Occurrence of STS GetFederationToken Request by User

medium

Identifies the first occurrence of an AWS STS GetFederationToken request made by a user.

sigma tactics: defense_evasion, persistence techniques: T1098.001, T1550.001 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →