{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1550.001/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS STS"],"_cs_severities":["medium"],"_cs_tags":["attack.lateral-movement","attack.privilege-escalation","attack.t1548","attack.t1550","attack.t1550.001"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS Security Token Service (STS) AssumeRole function allows users or applications to assume a different IAM role, granting temporary access to resources and permissions associated with that role.  Attackers who gain initial access to an AWS account can misuse AssumeRole to move laterally to other roles and escalate their privileges. This can occur if the initial role has overly permissive trust relationships or if an attacker can manipulate the role assumption process.  This activity is detected through CloudTrail logs that record the AssumeRole event. The impact of this activity can be significant, depending on the permissions associated with the roles assumed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies IAM roles within the AWS environment that they may be able to assume.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to use the \u003ccode\u003eAssumeRole\u003c/code\u003e API call to assume a different role. This call includes parameters specifying the target role ARN and a session name.\u003c/li\u003e\n\u003cli\u003eAWS STS validates the request.  Successful validation depends on the trust policy of the target role and the permissions of the initial user or role.\u003c/li\u003e\n\u003cli\u003eIf the validation is successful, AWS STS returns temporary security credentials (access key ID, secret access key, and session token) to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these temporary credentials to access AWS resources and perform actions authorized by the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to move laterally and escalate privileges by assuming additional roles.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as accessing sensitive data, modifying configurations, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a wide range of impacts, including unauthorized access to sensitive data stored in S3 buckets or databases, modification or deletion of critical infrastructure configurations, and disruption of AWS services. The scope of the impact depends on the permissions associated with the roles that the attacker is able to assume. This can affect any organization using AWS, and the consequences can range from data breaches and financial losses to reputational damage and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect suspicious \u003ccode\u003eAssumeRole\u003c/code\u003e activity based on \u003ccode\u003euserIdentity.type\u003c/code\u003e and \u003ccode\u003euserIdentity.sessionContext.sessionIssuer.type\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and harden IAM role trust policies to ensure that only authorized entities can assume roles.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual patterns of \u003ccode\u003eAssumeRole\u003c/code\u003e API calls, especially those originating from unfamiliar user identities or locations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-assumerole-misuse/","summary":"Abuse of AWS STS AssumeRole can allow attackers to move laterally within an AWS environment and escalate privileges, potentially leading to unauthorized access to sensitive resources and data.","title":"AWS STS AssumeRole Misuse for Lateral Movement and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-assumerole-misuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1550.001","version":"https://jsonfeed.org/version/1.1"}