{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/getfederationtoken/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS STS"],"_cs_severities":["high"],"_cs_tags":["aws","privilege-escalation","lateral-movement","sts","getfederationtoken"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS Security Token Service (STS) GetFederationToken API allows for the creation of temporary security credentials for federated users. These credentials inherit permissions from the calling IAM user and any session policy included in the request. This detection focuses on instances where the request parameters of GetFederationToken reference AdministratorAccess, either directly or through an equivalent string. The inclusion of AdministratorAccess within the session policy grants overly broad privileges to the temporary credentials, potentially leading to privilege escalation or abuse. This scenario is often indicative of legacy systems, misconfigured tooling, or malicious intent, posing a significant risk to the security posture of AWS environments. Defenders should prioritize identifying and mitigating instances of this behavior to enforce least privilege principles and prevent unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised IAM user credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an IAM user with the necessary permissions to call the STS GetFederationToken API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GetFederationToken API request, including a session policy that directly references \u0026ldquo;AdministratorAccess\u0026rdquo; or includes a policy ARN that grants administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe GetFederationToken API call is successfully executed, generating temporary security credentials with broad administrator permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary credentials to perform privileged actions within the AWS environment, such as modifying IAM policies, accessing sensitive data, or deploying malicious resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to laterally move within the AWS environment by leveraging the newly acquired administrator privileges to compromise other resources or accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker could establish persistence by creating new IAM users or roles with elevated permissions, ensuring continued access even after the temporary credentials expire.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, service disruption, or financial gain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete compromise of the AWS environment. An attacker with temporary administrator credentials can modify security configurations, access sensitive data, and disrupt critical services. While no specific victim counts or sectors are mentioned, the broad permissions granted by AdministratorAccess make any AWS environment vulnerable to significant damage. The risk score of 73 highlights the potential for severe impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS STS GetFederationToken with AdministratorAccess in Request\u0026rdquo; to your SIEM to detect instances of this activity (rule title).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e to identify the specific policy being used (rule title).\u003c/li\u003e\n\u003cli\u003eRevoke or rotate the IAM user access keys involved in the GetFederationToken call and enforce least privilege on the user (rule description).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for subsequent events using \u003ccode\u003eresponse_elements.credentials.accessKeyId\u003c/code\u003e from the same response to identify actions taken with the temporary credentials (rule description).\u003c/li\u003e\n\u003cli\u003eReview and update IAM policies to ensure that session policies used with GetFederationToken adhere to the principle of least privilege (rule description).\u003c/li\u003e\n\u003cli\u003eImplement automated checks to prevent the creation or modification of IAM policies that grant AdministratorAccess except in explicitly approved scenarios (rule description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-sts-admin-access/","summary":"Detection of AWS STS GetFederationToken calls with AdministratorAccess in the request parameters, indicating potential privilege escalation or dangerous automation via broadly privileged temporary credentials.","title":"AWS STS GetFederationToken with AdministratorAccess in Request","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-sts-admin-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Getfederationtoken","version":"https://jsonfeed.org/version/1.1"}