{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-security-token-service-sts/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Security Token Service (STS)"],"_cs_severities":["medium"],"_cs_tags":["aws","sts","privilege-escalation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of AWS Security Token Service (STS) AssumeRole functionality by AWS services, as highlighted by an Elastic detection rule. The rule identifies instances where services such as EC2, Lambda, RDS, and others assume roles to obtain temporary credentials. While legitimate for standard operations, adversaries can exploit this behavior to escalate privileges or move laterally within an AWS environment. The technique involves leveraging existing service identities to gain access to resources beyond their intended scope. This rule is designed to detect anomalous or unauthorized role assumptions. The referenced detection rule was last updated on 2026-04-10 and analyzes AWS CloudTrail logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS service, such as an EC2 instance, through methods like exploiting a vulnerable application running on the instance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised service's existing IAM role or configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS STS AssumeRole API, using a service like EC2 or Lambda, to assume a different, more privileged role within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAssumeRole\u003c/code\u003e request includes the target role ARN (\u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e) and a session name (\u003ccode\u003eaws.cloudtrail.flattened.request_parameters.roleSessionName\u003c/code\u003e), if available.\u003c/li\u003e\n\u003cli\u003eAWS STS validates the request based on IAM policies associated with the involved roles.\u003c/li\u003e\n\u003cli\u003eIf successful, AWS STS provides temporary credentials, including an access key ID, secret access key, and session token (\u003ccode\u003eaws.cloudtrail.flattened.response_elements.credentials.accessKeyId\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the acquired temporary credentials to perform unauthorized actions, such as accessing sensitive data or modifying critical infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally by assuming other roles or accessing other resources within the AWS environment, escalating their privileges to achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, modification or deletion of critical infrastructure, and overall compromise of the AWS environment. The risk score associated with this behavior is 21, indicating a moderate level of potential damage. Lateral movement allows the attacker to expand their reach within the environment, potentially impacting multiple services and data stores. Organizations in any sector utilizing AWS services are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS Service Assuming Privileged Role\u0026quot; to detect unusual role assumption activities, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.invoked_by\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, paying close attention to the user agent (\u003ccode\u003euser_agent.original\u003c/code\u003e) and the assumed role's permissions.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and ensure the logs are being ingested into your SIEM to provide the necessary data for the detection rules.\u003c/li\u003e\n\u003cli\u003eCreate a baseline of legitimate role assumption activities by services in your environment to reduce false positives and improve the accuracy of the detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-sts-role-assumption/","summary":"Detection of AWS services assuming roles within AWS Security Token Service (STS) to gain temporary credentials and potentially escalate privileges or move laterally within the AWS environment.","title":"AWS STS Role Assumption by Service for Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-sts-role-assumption/"}],"language":"en","title":"CraftedSignal Threat Feed - AWS Security Token Service (STS)","version":"https://jsonfeed.org/version/1.1"}