{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/getsessiontoken/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail"],"_cs_severities":["medium"],"_cs_tags":["aws","cloud","lateral-movement","privilege-escalation","sts","GetSessionToken"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe AWS Security Token Service (STS) GetSessionToken API allows IAM users to create temporary security credentials. Attackers can abuse this functionality by generating tokens with elevated privileges or for lateral movement within an AWS environment if an IAM user\u0026rsquo;s credentials have been compromised. This activity can be difficult to detect as GetSessionToken is a legitimate function, but unusual patterns or IAM users generating tokens where it is not expected should be investigated. This activity is of particular concern because it bypasses normal IAM role assumption logging and creates a separate credential for an attacker to abuse, making access more difficult to track. The impact is significant, allowing attackers to perform actions as the compromised IAM user or escalate privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment, potentially through compromised IAM user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to AWS using the compromised IAM user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker calls the STS GetSessionToken API, specifying desired permissions or roles (if permitted by the IAM user\u0026rsquo;s policies).\u003c/li\u003e\n\u003cli\u003eAWS STS generates a new set of temporary credentials (access key ID, secret access key, and session token).\u003c/li\u003e\n\u003cli\u003eThe attacker configures their AWS CLI or SDK to use the newly acquired temporary credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages these temporary credentials to perform actions within the AWS environment, potentially escalating privileges or moving laterally.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting the CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data, deploys malware, or causes disruption within the AWS environment using the acquired privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised AWS environments can lead to data breaches, service disruptions, and financial losses. Successful exploitation via GetSessionToken misuse allows attackers to move laterally, escalate privileges, and perform unauthorized actions within the AWS infrastructure. The number of affected organizations is currently unknown, but any organization relying on AWS is potentially at risk. If successful, attackers can steal sensitive data, compromise critical systems, and disrupt business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS STS GetSessionToken Misuse\u0026rdquo; to your SIEM to detect suspicious GetSessionToken API calls (see rules section).\u003c/li\u003e\n\u003cli\u003eInvestigate GetSessionToken calls where \u003ccode\u003euserIdentity.type\u003c/code\u003e is \u003ccode\u003eIAMUser\u003c/code\u003e to determine if the request is legitimate.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for unusual patterns of GetSessionToken usage, particularly from unfamiliar user agents or hosts.\u003c/li\u003e\n\u003cli\u003eImplement strong IAM policies and MFA to minimize the risk of compromised IAM user credentials.\u003c/li\u003e\n\u003cli\u003eReview the false positives section of the Sigma rule to tune the rule for your specific environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-aws-sts-getsessiontoken-misuse/","summary":"The AWS STS GetSessionToken API is being misused to create temporary tokens for lateral movement and privilege escalation within AWS environments by potentially compromised IAM users.","title":"Suspicious AWS STS GetSessionToken Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-sts-getsessiontoken-misuse/"}],"language":"en","title":"CraftedSignal Threat Feed — GetSessionToken","version":"https://jsonfeed.org/version/1.1"}