<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Security Token Service (STS) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-security-token-service-sts/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-security-token-service-sts/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS STS Role Assumption by Service for Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-sts-role-assumption/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-sts-role-assumption/</guid><description>Detection of AWS services assuming roles within AWS Security Token Service (STS) to gain temporary credentials and potentially escalate privileges or move laterally within the AWS environment.</description><content:encoded><![CDATA[<p>This threat brief focuses on the abuse of AWS Security Token Service (STS) AssumeRole functionality by AWS services, as highlighted by an Elastic detection rule. The rule identifies instances where services such as EC2, Lambda, RDS, and others assume roles to obtain temporary credentials. While legitimate for standard operations, adversaries can exploit this behavior to escalate privileges or move laterally within an AWS environment. The technique involves leveraging existing service identities to gain access to resources beyond their intended scope. This rule is designed to detect anomalous or unauthorized role assumptions. The referenced detection rule was last updated on 2026-04-10 and analyzes AWS CloudTrail logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS service, such as an EC2 instance, through methods like exploiting a vulnerable application running on the instance.</li>
<li>The attacker leverages the compromised service's existing IAM role or configurations.</li>
<li>The attacker uses the AWS STS AssumeRole API, using a service like EC2 or Lambda, to assume a different, more privileged role within the AWS environment.</li>
<li>The <code>AssumeRole</code> request includes the target role ARN (<code>aws.cloudtrail.resources.arn</code>) and a session name (<code>aws.cloudtrail.flattened.request_parameters.roleSessionName</code>), if available.</li>
<li>AWS STS validates the request based on IAM policies associated with the involved roles.</li>
<li>If successful, AWS STS provides temporary credentials, including an access key ID, secret access key, and session token (<code>aws.cloudtrail.flattened.response_elements.credentials.accessKeyId</code>).</li>
<li>The attacker uses the acquired temporary credentials to perform unauthorized actions, such as accessing sensitive data or modifying critical infrastructure.</li>
<li>The attacker moves laterally by assuming other roles or accessing other resources within the AWS environment, escalating their privileges to achieve their objectives.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, modification or deletion of critical infrastructure, and overall compromise of the AWS environment. The risk score associated with this behavior is 21, indicating a moderate level of potential damage. Lateral movement allows the attacker to expand their reach within the environment, potentially impacting multiple services and data stores. Organizations in any sector utilizing AWS services are potentially at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS Service Assuming Privileged Role&quot; to detect unusual role assumption activities, focusing on the <code>aws.cloudtrail.user_identity.invoked_by</code> and <code>aws.cloudtrail.resources.arn</code> fields.</li>
<li>Investigate any alerts triggered by the Sigma rule, paying close attention to the user agent (<code>user_agent.original</code>) and the assumed role's permissions.</li>
<li>Enable AWS CloudTrail logging and ensure the logs are being ingested into your SIEM to provide the necessary data for the detection rules.</li>
<li>Create a baseline of legitimate role assumption activities by services in your environment to reduce false positives and improve the accuracy of the detection.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>sts</category><category>privilege-escalation</category><category>lateral-movement</category></item></channel></rss>