<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Security Token Service - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-security-token-service/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 24 Nov 2024 00:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-security-token-service/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS STS AssumeRoot by Rare User and Member Account</title><link>https://feed.craftedsignal.io/briefs/2024-11-aws-sts-assumeroot-rare-user/</link><pubDate>Sun, 24 Nov 2024 00:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-11-aws-sts-assumeroot-rare-user/</guid><description>The rule detects when the STS AssumeRoot action is performed by a rare user in AWS, potentially indicating privilege escalation.</description><content:encoded><![CDATA[<p>This detection identifies when the AWS STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated permissions based on the task policy specified. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role against a specific member account. An adversary with compromised user credentials can abuse this action to escalate privileges and gain unauthorized access to AWS resources within an organization. This activity may indicate privilege escalation, lateral movement into a new account, abuse of cross-account access paths, or misuse of administrative workflows. The rule focuses on successful AssumeRoot events to minimize false positives.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises AWS credentials of a user or role through phishing, credential stuffing, or other means.</li>
<li>The attacker uses the compromised credentials to authenticate to the AWS environment.</li>
<li>The attacker attempts to perform the <code>sts:AssumeRoot</code> action, targeting a specific member account within the AWS organization.</li>
<li>The attacker specifies a <code>taskPolicyArn</code> in the <code>AssumeRoot</code> request, defining the permissions they wish to assume in the target account.</li>
<li>AWS validates the request and, if successful, issues temporary credentials, including an access key ID, secret access key, and session token.</li>
<li>The attacker uses the temporary credentials to authenticate to the target member account.</li>
<li>The attacker performs actions within the target account, leveraging the elevated permissions granted by the assumed role, such as modifying IAM policies, accessing sensitive data, or disabling security controls.</li>
<li>The attacker maintains persistence by creating additional cloud roles (T1098.003)</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful AssumeRoot attack can lead to full compromise of the targeted AWS account. This can allow the attacker to modify or delete resources, steal sensitive data, and disrupt business operations. The severity of the impact depends on the permissions granted by the task policy used during the AssumeRoot call and the resources present in the compromised account. This can affect a single member account or have organization-wide implications if the attacker is able to pivot to other accounts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS STS AssumeRoot by Rare User</code> to detect unusual <code>AssumeRoot</code> activity in your AWS environment (see rules).</li>
<li>Investigate any alerts generated by the <code>AWS STS AssumeRoot by Rare User</code> rule, focusing on identifying the actor, target account, and actions performed after assuming the role (see rule documentation).</li>
<li>Restrict which IAM roles and identities can call <code>sts:AssumeRoot</code>, using IAM conditions (e.g., <code>aws:PrincipalArn</code>, <code>aws:PrincipalOrgID</code>, <code>aws:RequestedRegion</code>) as mentioned in the overview section.</li>
<li>Ensure <code>AssumeRoot</code> activity is included in your SIEM dashboards and investigation playbooks as described in the overview section.</li>
<li>Enable AWS CloudTrail logging and ensure the logs are being ingested into your SIEM (see index in rule).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>privilege-escalation</category><category>cloud</category></item><item><title>AWS STS GetFederationToken Request for Defense Evasion and Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-10-aws-get-federation-token/</link><pubDate>Sat, 26 Oct 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-10-aws-get-federation-token/</guid><description>Detection of the first AWS Security Token Service (STS) GetFederationToken request by a user, which adversaries can abuse to obtain temporary credentials for persistence and to bypass IAM API call limitations by gaining console access.</description><content:encoded><![CDATA[<p>The AWS Security Token Service (STS) GetFederationToken API allows users to request temporary security credentials with a maximum expiration of 36 hours. These tokens can be used to create console sign-in tokens, even for identities that don't already have one. Attackers may exploit this API to gain persistent access to AWS resources, even after the initial compromised identity is revoked. This technique can also bypass IAM API call limitations, allowing adversaries to perform sensitive actions with temporary credentials. The detection of the first occurrence of this API call by a user can help identify potential misuse and unauthorized access attempts within AWS environments. Identifying anomalous GetFederationToken requests is crucial for detecting and responding to potential defense evasion and persistence tactics used by attackers.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial compromise of an AWS user identity or service account through credential theft or misconfiguration.</li>
<li>The attacker leverages the compromised identity to call the <code>GetFederationToken</code> API.</li>
<li>The STS service issues temporary security credentials, including an access key, secret key, and session token.</li>
<li>The attacker configures their tools or scripts to use these temporary credentials for subsequent AWS API calls.</li>
<li>The attacker utilizes the temporary credentials to access AWS resources and perform actions that may be restricted by IAM policies on the original compromised identity.</li>
<li>The attacker may also create a console sign-in token using the temporary credentials for console-based access to AWS resources.</li>
<li>Even if the initial compromised identity is revoked or deleted, the temporary credentials remain valid for up to 36 hours, allowing the attacker to maintain access.</li>
<li>The attacker uses the persistent access to perform actions such as data exfiltration, resource modification, or further lateral movement within the AWS environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive AWS resources, data breaches, and potential disruption of services. The impact can be significant, as attackers can maintain access for up to 36 hours even after the initial compromised identity is revoked. This persistence allows attackers to perform a wide range of malicious activities, potentially affecting critical business operations and resulting in financial losses and reputational damage. Organizations in all sectors utilizing AWS are potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS First Occurrence of STS GetFederationToken Request by User&quot; to your SIEM to detect suspicious GetFederationToken requests.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on unusual user behavior and unexpected request origins.</li>
<li>Review the CloudTrail logs for the requesting user (<code>aws.cloudtrail.user_identity.arn</code>) to verify if the <code>GetFederationToken</code> request was legitimate.</li>
<li>Implement additional monitoring and alerting for <code>GetFederationToken</code> requests, as mentioned in the overview.</li>
<li>Attach a policy that denies all actions, such as the <code>AWSDenyAll</code> policy, to revoke privileges of compromised users.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>cloud</category><category>defense-evasion</category><category>persistence</category></item><item><title>AWS STS AssumeRole with New MFA Device</title><link>https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/</link><pubDate>Sat, 26 Oct 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/</guid><description>This rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.</description><content:encoded><![CDATA[<p>This detection rule identifies instances of AWS Security Token Service (STS) <code>AssumeRole</code> calls where a new Multi-Factor Authentication (MFA) device is used. While legitimate administrative tasks may involve assuming roles with new MFA devices, adversaries can leverage this technique to establish persistence, escalate privileges, or move laterally within an AWS environment. The rule focuses on successful <code>AssumeRole</code>, <code>AssumeRoleWithSAML</code>, and <code>AssumeRoleWithWebIdentity</code> events, specifically looking for the presence of a serial number associated with the MFA device in the request parameters, indicating a new MFA device was used. This activity warrants investigation to determine if it is authorized or indicative of malicious behavior. The rule uses a 10-day history window to define &quot;new&quot; MFA devices.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials (T1078.004).</li>
<li>The attacker registers a new MFA device within the compromised AWS account (T1556.006).</li>
<li>The attacker uses the AWS STS <code>AssumeRole</code> API to request temporary credentials for a different IAM role (T1550).</li>
<li>The request includes the serial number of the newly registered MFA device in the <code>request_parameters</code> (part of the AssumeRole call).</li>
<li>AWS STS validates the MFA and, if successful, issues temporary credentials associated with the assumed role (T1550.001).</li>
<li>The attacker uses these temporary credentials to access resources and perform actions authorized by the assumed role (T1078).</li>
<li>This may involve escalating privileges, accessing sensitive data, or moving laterally to other AWS resources (TA0004, TA0008).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using a new MFA device to assume a role can lead to unauthorized access to sensitive AWS resources. The attacker can escalate privileges, move laterally to other resources, or establish persistent access within the environment. This can result in data breaches, service disruption, or other malicious activities, impacting the confidentiality, integrity, and availability of the organization's cloud infrastructure. The risk score is 21, indicating a potential but not immediately critical threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rules to your SIEM to detect the use of new MFA devices in <code>AssumeRole</code> calls and tune for your environment.</li>
<li>Enable AWS CloudTrail logging and ensure proper configuration of the AWS Fleet integration or Filebeat module to capture relevant STS events.</li>
<li>Review AWS CloudTrail logs for unusual patterns of MFA device registrations and role assumptions, focusing on privilege escalation or lateral movement attempts.</li>
<li>Implement additional monitoring and alerting for unusual MFA device registrations and role assumptions to enhance detection of similar threats in the future.</li>
<li>Create exceptions for known onboarding activities or routine device replacements by correlating with HR records or IT support tickets as described in the rule's false positives section.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">threat</category><category>aws</category><category>cloudtrail</category><category>sts</category><category>assume_role</category><category>mfa</category><category>persistence</category><category>privilege_escalation</category><category>lateral_movement</category></item><item><title>AWS STS Role Chaining for Privilege Escalation and Persistence</title><link>https://feed.craftedsignal.io/briefs/2024-10-aws-sts-role-chaining/</link><pubDate>Fri, 25 Oct 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-10-aws-sts-role-chaining/</guid><description>AWS STS role chaining, where one assumed role is used to assume another, can lead to privilege escalation or persistence by refreshing session tokens, triggering alerts on the first observed role assumption based on CloudTrail logs.</description><content:encoded><![CDATA[<p>This threat brief addresses the potential abuse of AWS STS role chaining. Role chaining is a legitimate AWS feature where an assumed role is used to assume another role through the AWS CLI or API. However, malicious actors can exploit this functionality to escalate privileges if the second assumed role has broader permissions than the initial role. The chaining can also be used as a persistence mechanism since each <code>AssumeRole</code> action results in a refreshed session token with a maximum duration of one hour. This activity is detected by monitoring CloudTrail logs for the first occurrence of a role (identified by <code>aws.cloudtrail.user_identity.session_context.session_issuer.arn</code>) assuming another role (<code>aws.cloudtrail.resources.arn</code>). Detection focuses on identifying novel role-chaining relationships to highlight potentially unauthorized activity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, possibly through compromised credentials or an exposed access key.</li>
<li>The attacker uses the compromised credentials to assume an initial IAM role using <code>sts:AssumeRole</code>. This action is logged in CloudTrail with the <code>AssumeRole</code> event.</li>
<li>The attacker then uses the temporary credentials obtained from the first role to assume a second IAM role, again using <code>sts:AssumeRole</code>. The <code>aws.cloudtrail.user_identity.session_context.session_issuer.arn</code> field identifies the first role, and the <code>aws.cloudtrail.resources.arn</code> field identifies the second role.</li>
<li>If the second role has more permissions than the first, the attacker can use the second role's credentials to perform actions they couldn't do before (privilege escalation). This could involve actions related to IAM, EC2, S3 or other AWS services.</li>
<li>The attacker leverages the increased permissions to access sensitive data stored in S3 buckets, modify IAM policies to grant themselves further access, or launch EC2 instances for malicious purposes.</li>
<li>Each AssumeRole action generates new temporary credentials, effectively refreshing the attacker's session.</li>
<li>The attacker maintains persistence within the AWS environment by repeatedly chaining roles to refresh temporary credentials.</li>
<li>The attacker achieves their objective, such as exfiltrating sensitive data, deploying malware, or disrupting services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation via role chaining can lead to significant privilege escalation within an AWS environment. This can enable attackers to gain unauthorized access to sensitive data, modify critical infrastructure configurations, and potentially disrupt business operations. The persistence aspect of role chaining can allow attackers to maintain a foothold in the environment for extended periods, making detection and remediation more challenging. The blast radius can extend across multiple AWS accounts if cross-account role chaining is involved.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS STS Role Chaining</code> to identify instances of role chaining in AWS CloudTrail logs. Tune the rule to exclude expected role-chaining patterns based on your environment (<code>aws.cloudtrail.user_identity.session_context.session_issuer.arn</code>, <code>aws.cloudtrail.resources.arn</code>).</li>
<li>Monitor CloudTrail logs for <code>AssumeRole</code> events where <code>aws.cloudtrail.user_identity.type</code> is <code>AssumedRole</code>, focusing on unusual or unexpected role combinations.</li>
<li>Implement least privilege policies for all IAM roles, limiting trust policies to only required principals. Periodically review role chaining patterns to validate necessity.</li>
<li>Use the <code>AWS STS Role Chaining</code> Sigma rule to identify potential role chaining attempts and investigate accordingly.</li>
<li>Correlate CloudTrail logs with other security events (e.g., GuardDuty alerts) to identify potential privilege escalation or data exfiltration activities following role chaining.</li>
<li>Enable MFA where possible on <code>AssumeRole</code> operations.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>sts</category><category>role-chaining</category><category>privilege-escalation</category><category>persistence</category></item></channel></rss>