Product
medium
advisory
Suspicious AWS SAML Activity Detection
2 rules 3 TTPsThis rule identifies suspicious SAML activity in AWS, such as AssumeRoleWithSAML and UpdateSAMLProvider events, which could indicate an attacker gaining backdoor access, escalating privileges, or establishing persistence.
AWS IAM +1
aws
saml
cloudtrail
initial-access
lateral-movement
persistence
privilege-escalation
stealth
2r
3t
high
advisory
AWS STS GetFederationToken with AdministratorAccess in Request
2 rules 2 TTPsDetection of AWS STS GetFederationToken calls with AdministratorAccess in the request parameters, indicating potential privilege escalation or dangerous automation via broadly privileged temporary credentials.
AWS STS
aws
privilege-escalation
lateral-movement
sts
getfederationtoken
2r
2t
medium
advisory
AWS STS AssumeRole Misuse for Lateral Movement and Privilege Escalation
1 rule 2 TTPsAbuse of AWS STS AssumeRole can allow attackers to move laterally within an AWS environment and escalate privileges, potentially leading to unauthorized access to sensitive resources and data.
AWS STS
attack.lateral-movement
attack.privilege-escalation
attack.t1548
attack.t1550
attack.t1550.001
1r
2t