{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/role-chaining/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Security Token Service","AWS Identity and Access Management"],"_cs_severities":["medium"],"_cs_tags":["aws","sts","role-chaining","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief addresses the potential abuse of AWS STS role chaining. Role chaining is a legitimate AWS feature where an assumed role is used to assume another role through the AWS CLI or API. However, malicious actors can exploit this functionality to escalate privileges if the second assumed role has broader permissions than the initial role. The chaining can also be used as a persistence mechanism since each \u003ccode\u003eAssumeRole\u003c/code\u003e action results in a refreshed session token with a maximum duration of one hour. This activity is detected by monitoring CloudTrail logs for the first occurrence of a role (identified by \u003ccode\u003eaws.cloudtrail.user_identity.session_context.session_issuer.arn\u003c/code\u003e) assuming another role (\u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e). Detection focuses on identifying novel role-chaining relationships to highlight potentially unauthorized activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, possibly through compromised credentials or an exposed access key.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to assume an initial IAM role using \u003ccode\u003ests:AssumeRole\u003c/code\u003e. This action is logged in CloudTrail with the \u003ccode\u003eAssumeRole\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses the temporary credentials obtained from the first role to assume a second IAM role, again using \u003ccode\u003ests:AssumeRole\u003c/code\u003e. The \u003ccode\u003eaws.cloudtrail.user_identity.session_context.session_issuer.arn\u003c/code\u003e field identifies the first role, and the \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e field identifies the second role.\u003c/li\u003e\n\u003cli\u003eIf the second role has more permissions than the first, the attacker can use the second role's credentials to perform actions they couldn't do before (privilege escalation). This could involve actions related to IAM, EC2, S3 or other AWS services.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the increased permissions to access sensitive data stored in S3 buckets, modify IAM policies to grant themselves further access, or launch EC2 instances for malicious purposes.\u003c/li\u003e\n\u003cli\u003eEach AssumeRole action generates new temporary credentials, effectively refreshing the attacker's session.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence within the AWS environment by repeatedly chaining roles to refresh temporary credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as exfiltrating sensitive data, deploying malware, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via role chaining can lead to significant privilege escalation within an AWS environment. This can enable attackers to gain unauthorized access to sensitive data, modify critical infrastructure configurations, and potentially disrupt business operations. The persistence aspect of role chaining can allow attackers to maintain a foothold in the environment for extended periods, making detection and remediation more challenging. The blast radius can extend across multiple AWS accounts if cross-account role chaining is involved.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AWS STS Role Chaining\u003c/code\u003e to identify instances of role chaining in AWS CloudTrail logs. Tune the rule to exclude expected role-chaining patterns based on your environment (\u003ccode\u003eaws.cloudtrail.user_identity.session_context.session_issuer.arn\u003c/code\u003e, \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for \u003ccode\u003eAssumeRole\u003c/code\u003e events where \u003ccode\u003eaws.cloudtrail.user_identity.type\u003c/code\u003e is \u003ccode\u003eAssumedRole\u003c/code\u003e, focusing on unusual or unexpected role combinations.\u003c/li\u003e\n\u003cli\u003eImplement least privilege policies for all IAM roles, limiting trust policies to only required principals. Periodically review role chaining patterns to validate necessity.\u003c/li\u003e\n\u003cli\u003eUse the \u003ccode\u003eAWS STS Role Chaining\u003c/code\u003e Sigma rule to identify potential role chaining attempts and investigate accordingly.\u003c/li\u003e\n\u003cli\u003eCorrelate CloudTrail logs with other security events (e.g., GuardDuty alerts) to identify potential privilege escalation or data exfiltration activities following role chaining.\u003c/li\u003e\n\u003cli\u003eEnable MFA where possible on \u003ccode\u003eAssumeRole\u003c/code\u003e operations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-25T12:00:00Z","date_published":"2024-10-25T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-10-aws-sts-role-chaining/","summary":"AWS STS role chaining, where one assumed role is used to assume another, can lead to privilege escalation or persistence by refreshing session tokens, triggering alerts on the first observed role assumption based on CloudTrail logs.","title":"AWS STS Role Chaining for Privilege Escalation and Persistence","url":"https://feed.craftedsignal.io/briefs/2024-10-aws-sts-role-chaining/"}],"language":"en","title":"CraftedSignal Threat Feed - Role-Chaining","version":"https://jsonfeed.org/version/1.1"}