AWS STS AssumeRoot by Rare User and Member Account
The rule detects when the STS AssumeRoot action is performed by a rare user in AWS, potentially indicating privilege escalation.
This detection identifies when the AWS STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated permissions based on the task policy specified. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role against a specific member account. An adversary with compromised user credentials can abuse this action to escalate privileges and gain unauthorized access to AWS resources within an organization. This activity may indicate privilege escalation, lateral movement into a new account, abuse of cross-account access paths, or misuse of administrative workflows. The rule focuses on successful AssumeRoot events to minimize false positives.
Attack Chain
- An attacker compromises AWS credentials of a user or role through phishing, credential stuffing, or other means.
- The attacker uses the compromised credentials to authenticate to the AWS environment.
- The attacker attempts to perform the
sts:AssumeRootaction, targeting a specific member account within the AWS organization. - The attacker specifies a
taskPolicyArnin theAssumeRootrequest, defining the permissions they wish to assume in the target account. - AWS validates the request and, if successful, issues temporary credentials, including an access key ID, secret access key, and session token.
- The attacker uses the temporary credentials to authenticate to the target member account.
- The attacker performs actions within the target account, leveraging the elevated permissions granted by the assumed role, such as modifying IAM policies, accessing sensitive data, or disabling security controls.
- The attacker maintains persistence by creating additional cloud roles (T1098.003)
Impact
A successful AssumeRoot attack can lead to full compromise of the targeted AWS account. This can allow the attacker to modify or delete resources, steal sensitive data, and disrupt business operations. The severity of the impact depends on the permissions granted by the task policy used during the AssumeRoot call and the resources present in the compromised account. This can affect a single member account or have organization-wide implications if the attacker is able to pivot to other accounts.
Recommendation
- Deploy the Sigma rule
AWS STS AssumeRoot by Rare Userto detect unusualAssumeRootactivity in your AWS environment (see rules). - Investigate any alerts generated by the
AWS STS AssumeRoot by Rare Userrule, focusing on identifying the actor, target account, and actions performed after assuming the role (see rule documentation). - Restrict which IAM roles and identities can call
sts:AssumeRoot, using IAM conditions (e.g.,aws:PrincipalArn,aws:PrincipalOrgID,aws:RequestedRegion) as mentioned in the overview section. - Ensure
AssumeRootactivity is included in your SIEM dashboards and investigation playbooks as described in the overview section. - Enable AWS CloudTrail logging and ensure the logs are being ingested into your SIEM (see index in rule).
Detection coverage 2
AWS STS AssumeRoot by Rare User
mediumDetects when the STS AssumeRoot action is performed by a rare user and member account combination in AWS.
AWS STS AssumeRoot with Specific Task Policy
highDetects AssumeRoot calls using a specific task policy ARN, potentially indicating targeted privilege escalation.
Detection queries are available on the platform. Get full rules →