{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/session-token/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Identity and Access Management (IAM)","AWS CloudTrail","AWS GuardDuty"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","iam","session-token","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting the abuse of temporary session tokens within AWS environments. Temporary session tokens, identified by access key IDs starting with \u0026quot;ASIA,\u0026quot; are commonly issued via sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins. While legitimate for short-term use, their use for privileged IAM actions like creating users, updating policies, or modifying trust relationships is unusual and indicative of malicious activity. Attackers might leverage compromised IAM users or roles to obtain these session tokens and perform unauthorized actions, aiming for persistence, privilege escalation, or defense evasion. This detection excludes console login sessions to reduce false positives, focusing on programmatic abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an IAM user or role within an AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to request a temporary session token via sts:GetSessionToken or sts:AssumeRole.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS API using the temporary session token (access key ID starting with ASIA).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new IAM user using the CreateUser API call.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify an existing IAM user's policy using the PutUserPolicy API call.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to update the AssumeRolePolicy associated with an IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker may also attempt to modify CloudTrail or GuardDuty configurations for defense evasion.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by creating new administrative users or roles, or by modifying existing permission policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to establish persistent access within the AWS environment, escalate privileges to gain broader control, and evade detection by modifying security configurations. The impact includes unauthorized access to sensitive data, potential data breaches, and disruption of cloud services. While the specific number of victims or sectors targeted is unknown, organizations heavily reliant on AWS infrastructure are most at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eAWS IAM API Calls via Temporary Session Tokens\u003c/code\u003e rule to detect suspicious API calls made with temporary session tokens. Tune the rule based on expected usage patterns within your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the rule, focusing on actions that modify IAM roles, user policies, and trust relationships, as described in the rule's \u003ccode\u003einvestigation_fields\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnforce MFA for all privileged IAM actions using \u003ccode\u003eaws:MultiFactorAuthPresent\u003c/code\u003e conditions to mitigate the risk of session token abuse, as mentioned in the rule's \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement detection coverage for follow-on persistence actions such as \u003ccode\u003eiam:CreateAccessKey\u003c/code\u003e, \u003ccode\u003eiam:PutUserPolicy\u003c/code\u003e, and \u003ccode\u003eiam:UpdateAssumeRolePolicy\u003c/code\u003e, as recommended in the rule's \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-session-token-abuse/","summary":"Detection of AWS IAM API operations using temporary session credentials, indicating potential credential theft, session hijacking, or privileged role abuse for persistence and defense evasion.","title":"AWS IAM API Calls via Temporary Session Tokens","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-session-token-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed - Session-Token","version":"https://jsonfeed.org/version/1.1"}