Product
AWS STS AssumeRoot by Rare User and Member Account
2 rules 3 TTPsThe rule detects when the STS AssumeRoot action is performed by a rare user in AWS, potentially indicating privilege escalation.
AWS STS GetFederationToken Request for Defense Evasion and Persistence
2 rules 2 TTPsDetection of the first AWS Security Token Service (STS) GetFederationToken request by a user, which adversaries can abuse to obtain temporary credentials for persistence and to bypass IAM API call limitations by gaining console access.
AWS STS AssumeRole with New MFA Device
2 rules 4 TTPsThis rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.
AWS STS Role Chaining for Privilege Escalation and Persistence
2 rules 3 TTPsAWS STS role chaining, where one assumed role is used to assume another, can lead to privilege escalation or persistence by refreshing session tokens, triggering alerts on the first observed role assumption based on CloudTrail logs.