Skip to content

Commit 1c366dd

Browse files
imays11github-actions[bot]
imays11
authored and
github-actions[bot]
committed
[New Rule] AWS STS Role Chaining (#4209)
* [New Rule] AWS STS Role Chaining Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API. While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges. Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration. This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior. * adding metadata query fields * removing index field (cherry picked from commit b6847c7)
1 parent c574536 commit 1c366dd

File tree

1 file changed

+93
-0
lines changed

1 file changed

+93
-0
lines changed

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
[metadata]
2+
creation_date = "2024/10/23"
3+
integration = ["aws"]
4+
maturity = "production"
5+
updated_date = "2024/10/23"
6+
7+
[rule]
8+
author = ["Elastic"]
9+
description = """
10+
Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
11+
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
12+
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
13+
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.
14+
"""
15+
false_positives = [
16+
"""
17+
Role chaining can be used as an access control. Ensure that this behavior is not part of a legitimate operation before taking action.
18+
""",
19+
]
20+
from = "now-6m"
21+
language = "esql"
22+
license = "Elastic License v2"
23+
name = "AWS STS Role Chaining"
24+
note = """## Setup
25+
26+
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27+
references = [
28+
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts",
29+
"https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials",
30+
"https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/",
31+
]
32+
risk_score = 47
33+
rule_id = "ba5a0b0c-b477-4729-a3dc-0147c2049cf1"
34+
severity = "medium"
35+
tags = [
36+
"Domain: Cloud",
37+
"Data Source: AWS",
38+
"Data Source: Amazon Web Services",
39+
"Data Source: AWS STS",
40+
"Use Case: Threat Detection",
41+
"Tactic: Persistence",
42+
"Tactic: Privilege Escalation",
43+
"Tactic: Lateral Movement",
44+
]
45+
timestamp_override = "event.ingested"
46+
type = "esql"
47+
48+
query = '''
49+
from logs-aws.cloudtrail-* metadata _id, _version, _index
50+
51+
// filter for AssumeRole API calls where access key id is a short term token beginning with ASIA
52+
| where event.dataset == "aws.cloudtrail" and event.provider == "sts.amazonaws.com" and event.action == "AssumeRole" and aws.cloudtrail.resources.account_id == aws.cloudtrail.recipient_account_id and aws.cloudtrail.user_identity.access_key_id like "ASIA*"
53+
54+
// keep only the relevant fields
55+
| keep aws.cloudtrail.user_identity.arn, cloud.region, aws.cloudtrail.resources.account_id, aws.cloudtrail.recipient_account_id, aws.cloudtrail.user_identity.access_key_id
56+
'''
57+
58+
59+
[[rule.threat]]
60+
framework = "MITRE ATT&CK"
61+
[[rule.threat.technique]]
62+
id = "T1548"
63+
name = "Abuse Elevation Control Mechanism"
64+
reference = "https://attack.mitre.org/techniques/T1548/"
65+
66+
67+
[rule.threat.tactic]
68+
id = "TA0004"
69+
name = "Privilege Escalation"
70+
reference = "https://attack.mitre.org/tactics/TA0004/"
71+
[[rule.threat]]
72+
framework = "MITRE ATT&CK"
73+
[[rule.threat.technique]]
74+
id = "T1550"
75+
name = "Use Alternate Authentication Material"
76+
reference = "https://attack.mitre.org/techniques/T1550/"
77+
[[rule.threat.technique.subtechnique]]
78+
id = "T1550.001"
79+
name = "Application Access Token"
80+
reference = "https://attack.mitre.org/techniques/T1550/001/"
81+
82+
83+
[rule.threat.tactic]
84+
id = "TA0008"
85+
name = "Lateral Movement"
86+
reference = "https://attack.mitre.org/tactics/TA0008/"
87+
[[rule.threat]]
88+
framework = "MITRE ATT&CK"
89+
90+
[rule.threat.tactic]
91+
id = "TA0003"
92+
name = "Persistence"
93+
reference = "https://attack.mitre.org/tactics/TA0003/"

0 commit comments

Comments
 (0)