<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Assume_role - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/assume_role/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 26 Oct 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/assume_role/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS STS AssumeRole with New MFA Device</title><link>https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/</link><pubDate>Sat, 26 Oct 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-10-aws-sts-assume-role-new-mfa/</guid><description>This rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.</description><content:encoded><![CDATA[<p>This detection rule identifies instances of AWS Security Token Service (STS) <code>AssumeRole</code> calls where a new Multi-Factor Authentication (MFA) device is used. While legitimate administrative tasks may involve assuming roles with new MFA devices, adversaries can leverage this technique to establish persistence, escalate privileges, or move laterally within an AWS environment. The rule focuses on successful <code>AssumeRole</code>, <code>AssumeRoleWithSAML</code>, and <code>AssumeRoleWithWebIdentity</code> events, specifically looking for the presence of a serial number associated with the MFA device in the request parameters, indicating a new MFA device was used. This activity warrants investigation to determine if it is authorized or indicative of malicious behavior. The rule uses a 10-day history window to define &quot;new&quot; MFA devices.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials (T1078.004).</li>
<li>The attacker registers a new MFA device within the compromised AWS account (T1556.006).</li>
<li>The attacker uses the AWS STS <code>AssumeRole</code> API to request temporary credentials for a different IAM role (T1550).</li>
<li>The request includes the serial number of the newly registered MFA device in the <code>request_parameters</code> (part of the AssumeRole call).</li>
<li>AWS STS validates the MFA and, if successful, issues temporary credentials associated with the assumed role (T1550.001).</li>
<li>The attacker uses these temporary credentials to access resources and perform actions authorized by the assumed role (T1078).</li>
<li>This may involve escalating privileges, accessing sensitive data, or moving laterally to other AWS resources (TA0004, TA0008).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using a new MFA device to assume a role can lead to unauthorized access to sensitive AWS resources. The attacker can escalate privileges, move laterally to other resources, or establish persistent access within the environment. This can result in data breaches, service disruption, or other malicious activities, impacting the confidentiality, integrity, and availability of the organization's cloud infrastructure. The risk score is 21, indicating a potential but not immediately critical threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rules to your SIEM to detect the use of new MFA devices in <code>AssumeRole</code> calls and tune for your environment.</li>
<li>Enable AWS CloudTrail logging and ensure proper configuration of the AWS Fleet integration or Filebeat module to capture relevant STS events.</li>
<li>Review AWS CloudTrail logs for unusual patterns of MFA device registrations and role assumptions, focusing on privilege escalation or lateral movement attempts.</li>
<li>Implement additional monitoring and alerting for unusual MFA device registrations and role assumptions to enhance detection of similar threats in the future.</li>
<li>Create exceptions for known onboarding activities or routine device replacements by correlating with HR records or IT support tickets as described in the rule's false positives section.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">threat</category><category>aws</category><category>cloudtrail</category><category>sts</category><category>assume_role</category><category>mfa</category><category>persistence</category><category>privilege_escalation</category><category>lateral_movement</category></item></channel></rss>