<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Session-Token - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/session-token/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/session-token/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS IAM API Calls via Temporary Session Tokens</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-session-token-abuse/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-aws-iam-session-token-abuse/</guid><description>Detection of AWS IAM API operations using temporary session credentials, indicating potential credential theft, session hijacking, or privileged role abuse for persistence and defense evasion.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting the abuse of temporary session tokens within AWS environments. Temporary session tokens, identified by access key IDs starting with &quot;ASIA,&quot; are commonly issued via sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins. While legitimate for short-term use, their use for privileged IAM actions like creating users, updating policies, or modifying trust relationships is unusual and indicative of malicious activity. Attackers might leverage compromised IAM users or roles to obtain these session tokens and perform unauthorized actions, aiming for persistence, privilege escalation, or defense evasion. This detection excludes console login sessions to reduce false positives, focusing on programmatic abuse.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises an IAM user or role within an AWS environment.</li>
<li>The attacker uses the compromised credentials to request a temporary session token via sts:GetSessionToken or sts:AssumeRole.</li>
<li>The attacker authenticates to the AWS API using the temporary session token (access key ID starting with ASIA).</li>
<li>The attacker attempts to create a new IAM user using the CreateUser API call.</li>
<li>The attacker attempts to modify an existing IAM user's policy using the PutUserPolicy API call.</li>
<li>The attacker attempts to update the AssumeRolePolicy associated with an IAM role.</li>
<li>The attacker may also attempt to modify CloudTrail or GuardDuty configurations for defense evasion.</li>
<li>The attacker achieves persistence by creating new administrative users or roles, or by modifying existing permission policies.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can allow attackers to establish persistent access within the AWS environment, escalate privileges to gain broader control, and evade detection by modifying security configurations. The impact includes unauthorized access to sensitive data, potential data breaches, and disruption of cloud services. While the specific number of victims or sectors targeted is unknown, organizations heavily reliant on AWS infrastructure are most at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>AWS IAM API Calls via Temporary Session Tokens</code> rule to detect suspicious API calls made with temporary session tokens. Tune the rule based on expected usage patterns within your environment.</li>
<li>Investigate all alerts generated by the rule, focusing on actions that modify IAM roles, user policies, and trust relationships, as described in the rule's <code>investigation_fields</code>.</li>
<li>Enforce MFA for all privileged IAM actions using <code>aws:MultiFactorAuthPresent</code> conditions to mitigate the risk of session token abuse, as mentioned in the rule's <code>note</code>.</li>
<li>Implement detection coverage for follow-on persistence actions such as <code>iam:CreateAccessKey</code>, <code>iam:PutUserPolicy</code>, and <code>iam:UpdateAssumeRolePolicy</code>, as recommended in the rule's <code>note</code>.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>iam</category><category>session-token</category><category>persistence</category><category>privilege-escalation</category></item></channel></rss>