{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/assume_role/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Security Token Service","AWS Identity and Access Management"],"_cs_severities":["low"],"_cs_tags":["aws","cloudtrail","sts","assume_role","mfa","persistence","privilege_escalation","lateral_movement"],"_cs_type":"threat","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection rule identifies instances of AWS Security Token Service (STS) \u003ccode\u003eAssumeRole\u003c/code\u003e calls where a new Multi-Factor Authentication (MFA) device is used. While legitimate administrative tasks may involve assuming roles with new MFA devices, adversaries can leverage this technique to establish persistence, escalate privileges, or move laterally within an AWS environment. The rule focuses on successful \u003ccode\u003eAssumeRole\u003c/code\u003e, \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e, and \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e events, specifically looking for the presence of a serial number associated with the MFA device in the request parameters, indicating a new MFA device was used. This activity warrants investigation to determine if it is authorized or indicative of malicious behavior. The rule uses a 10-day history window to define \u0026quot;new\u0026quot; MFA devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new MFA device within the compromised AWS account (T1556.006).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS STS \u003ccode\u003eAssumeRole\u003c/code\u003e API to request temporary credentials for a different IAM role (T1550).\u003c/li\u003e\n\u003cli\u003eThe request includes the serial number of the newly registered MFA device in the \u003ccode\u003erequest_parameters\u003c/code\u003e (part of the AssumeRole call).\u003c/li\u003e\n\u003cli\u003eAWS STS validates the MFA and, if successful, issues temporary credentials associated with the assumed role (T1550.001).\u003c/li\u003e\n\u003cli\u003eThe attacker uses these temporary credentials to access resources and perform actions authorized by the assumed role (T1078).\u003c/li\u003e\n\u003cli\u003eThis may involve escalating privileges, accessing sensitive data, or moving laterally to other AWS resources (TA0004, TA0008).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using a new MFA device to assume a role can lead to unauthorized access to sensitive AWS resources. The attacker can escalate privileges, move laterally to other resources, or establish persistent access within the environment. This can result in data breaches, service disruption, or other malicious activities, impacting the confidentiality, integrity, and availability of the organization's cloud infrastructure. The risk score is 21, indicating a potential but not immediately critical threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rules to your SIEM to detect the use of new MFA devices in \u003ccode\u003eAssumeRole\u003c/code\u003e calls and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and ensure proper configuration of the AWS Fleet integration or Filebeat module to capture relevant STS events.\u003c/li\u003e\n\u003cli\u003eReview AWS CloudTrail logs for unusual patterns of MFA device registrations and role assumptions, focusing on privilege escalation or lateral movement attempts.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring and alerting for unusual MFA device registrations and role assumptions to enhance detection of similar threats in the future.\u003c/li\u003e\n\u003cli\u003eCreate exceptions for known onboarding activities or routine device replacements by correlating with HR records or IT support tickets as described in the rule's false positives section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/","summary":"This rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.","title":"AWS STS AssumeRole with New MFA Device","url":"https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/"}],"language":"en","title":"CraftedSignal Threat Feed - Assume_role","version":"https://jsonfeed.org/version/1.1"}