AWS STS AssumeRole with New MFA Device
This rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.
This detection rule identifies instances of AWS Security Token Service (STS) AssumeRole calls where a new Multi-Factor Authentication (MFA) device is used. While legitimate administrative tasks may involve assuming roles with new MFA devices, adversaries can leverage this technique to establish persistence, escalate privileges, or move laterally within an AWS environment. The rule focuses on successful AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity events, specifically looking for the presence of a serial number associated with the MFA device in the request parameters, indicating a new MFA device was used. This activity warrants investigation to determine if it is authorized or indicative of malicious behavior. The rule uses a 10-day history window to define "new" MFA devices.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials (T1078.004).
- The attacker registers a new MFA device within the compromised AWS account (T1556.006).
- The attacker uses the AWS STS
AssumeRoleAPI to request temporary credentials for a different IAM role (T1550). - The request includes the serial number of the newly registered MFA device in the
request_parameters(part of the AssumeRole call). - AWS STS validates the MFA and, if successful, issues temporary credentials associated with the assumed role (T1550.001).
- The attacker uses these temporary credentials to access resources and perform actions authorized by the assumed role (T1078).
- This may involve escalating privileges, accessing sensitive data, or moving laterally to other AWS resources (TA0004, TA0008).
Impact
A successful attack using a new MFA device to assume a role can lead to unauthorized access to sensitive AWS resources. The attacker can escalate privileges, move laterally to other resources, or establish persistent access within the environment. This can result in data breaches, service disruption, or other malicious activities, impacting the confidentiality, integrity, and availability of the organization's cloud infrastructure. The risk score is 21, indicating a potential but not immediately critical threat.
Recommendation
- Deploy the following Sigma rules to your SIEM to detect the use of new MFA devices in
AssumeRolecalls and tune for your environment. - Enable AWS CloudTrail logging and ensure proper configuration of the AWS Fleet integration or Filebeat module to capture relevant STS events.
- Review AWS CloudTrail logs for unusual patterns of MFA device registrations and role assumptions, focusing on privilege escalation or lateral movement attempts.
- Implement additional monitoring and alerting for unusual MFA device registrations and role assumptions to enhance detection of similar threats in the future.
- Create exceptions for known onboarding activities or routine device replacements by correlating with HR records or IT support tickets as described in the rule's false positives section.
Detection coverage 2
AWS STS AssumeRole with New MFA Device - Serial Number Present
lowDetects AWS STS AssumeRole events with a serial number in the request parameters, indicating the use of an MFA device.
AWS STS AssumeRole - No Source Identity
mediumDetects AWS STS AssumeRole events without a source identity, which could indicate potential credential abuse.
Detection queries are available on the platform. Get full rules →