|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/04/11" |
| 3 | +integration = ["aws"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/04/11" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +This rule detects when a single IAM user's temporary session token is used from multiple IP addresses within a short |
| 11 | +time frame. This behavior may indicate that an adversary has stolen temporary credentials and is using them from a |
| 12 | +different location. |
| 13 | +""" |
| 14 | +false_positives = [ |
| 15 | + """ |
| 16 | + Highly distributed environments (e.g., globally deployed automation or edge nodes) may cause a single IAM user to |
| 17 | + appear from multiple IPs. Review the geolocation and automation context to rule out benign use. |
| 18 | + """, |
| 19 | +] |
| 20 | +from = "now-30m" |
| 21 | +language = "esql" |
| 22 | +license = "Elastic License v2" |
| 23 | +name = "AWS STS Temporary IAM Session Token Used from Multiple Addresses" |
| 24 | +note = """## Triage and Analysis |
| 25 | +
|
| 26 | +### Investigating AWS STS Temporary IAM Session Token Used from Multiple Addresses |
| 27 | +
|
| 28 | +Temporary session tokens (typically starting with 'ASIA') are expected to be short-lived and bound to a single user session. Usage from multiple IP addresses may indicate the token was stolen and used elsewhere. |
| 29 | +
|
| 30 | +#### Possible Investigation Steps |
| 31 | +
|
| 32 | +- **Identify the IAM User**: Examine `aws.cloudtrail.user_identity.arn` and correlate with `source.ip` to determine how widely the token was used. |
| 33 | +- **Check Recent MFA Events**: Determine whether the user recently enabled MFA, registered devices, or assumed a role using this token. |
| 34 | +- **Review Workload Context**: Confirm whether the user was expected to be active in multiple regions or environments. |
| 35 | +- **Trace Adversary Movement**: Pivot to related actions (e.g., `s3:ListBuckets`, `iam:ListUsers`, `sts:GetCallerIdentity`) to track further enumeration. |
| 36 | +
|
| 37 | +### False Positive Analysis |
| 38 | +
|
| 39 | +- Automation frameworks that rotate through multiple IPs or cloud functions with dynamic egress IPs may cause this alert to fire. |
| 40 | +- Confirm geolocation and workload context before escalating. |
| 41 | +
|
| 42 | +### Response and Remediation |
| 43 | +
|
| 44 | +- **Revoke the Token**: Disable or rotate the IAM credentials and invalidate the temporary session token. |
| 45 | +- **Audit the Environment**: Look for signs of lateral movement or data access during the token's validity. |
| 46 | +- **Strengthen Controls**: Require MFA for high-privilege actions, restrict access via policy conditions (e.g., IP range or device). |
| 47 | +
|
| 48 | +### References |
| 49 | +
|
| 50 | +- [STS Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) |
| 51 | +- [Using MFA with Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
| 52 | +- [AWS Threat Detection Use Cases](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) |
| 53 | +""" |
| 54 | +references = ["https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"] |
| 55 | +risk_score = 47 |
| 56 | +rule_id = "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0" |
| 57 | +severity = "medium" |
| 58 | +tags = [ |
| 59 | + "Domain: Cloud", |
| 60 | + "Data Source: AWS", |
| 61 | + "Data Source: Amazon Web Services", |
| 62 | + "Data Source: AWS IAM", |
| 63 | + "Data Source: AWS CloudTrail", |
| 64 | + "Tactic: Initial Access", |
| 65 | + "Use Case: Identity and Access Audit", |
| 66 | + "Resources: Investigation Guide", |
| 67 | +] |
| 68 | +timestamp_override = "event.ingested" |
| 69 | +type = "esql" |
| 70 | + |
| 71 | +query = ''' |
| 72 | +from logs-aws.cloudtrail* metadata _id, _version, _index |
| 73 | +| where |
| 74 | +
|
| 75 | + // filter on CloudTrail logs for STS temporary session tokens used by IAM users |
| 76 | + event.dataset == "aws.cloudtrail" |
| 77 | + and aws.cloudtrail.user_identity.arn is not null |
| 78 | + and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole") |
| 79 | + and source.ip is not null |
| 80 | +
|
| 81 | + // exclude known benign IaC tools and automation frameworks |
| 82 | + and not ( |
| 83 | + user_agent.original LIKE "%Terraform%" |
| 84 | + or user_agent.original LIKE "%Ansible%" |
| 85 | + or user_agent.original LIKE "%Pulumni%" |
| 86 | + ) |
| 87 | +
|
| 88 | + // filter for ASIA in tokens, indicating temporary session tokens |
| 89 | + and starts_with(aws.cloudtrail.user_identity.access_key_id, "ASIA") |
| 90 | +
|
| 91 | + // create a time window for aggregation |
| 92 | +| eval time_window = DATE_TRUNC(30 minutes, @timestamp) |
| 93 | +| keep source.ip, aws.cloudtrail.user_identity.arn |
| 94 | +
|
| 95 | +// aggregate unique source IPs per user within the time window |
| 96 | +| stats source.ip.list = VALUES(source.ip), address_api_request_count = count_distinct(source.ip) by aws.cloudtrail.user_identity.arn |
| 97 | +
|
| 98 | +// filter for users with multiple unique source IPs in the time window |
| 99 | +| where address_api_request_count >= 2 |
| 100 | +''' |
| 101 | + |
| 102 | + |
| 103 | +[[rule.threat]] |
| 104 | +framework = "MITRE ATT&CK" |
| 105 | +[[rule.threat.technique]] |
| 106 | +id = "T1078" |
| 107 | +name = "Valid Accounts" |
| 108 | +reference = "https://attack.mitre.org/techniques/T1078/" |
| 109 | +[[rule.threat.technique.subtechnique]] |
| 110 | +id = "T1078.004" |
| 111 | +name = "Cloud Accounts" |
| 112 | +reference = "https://attack.mitre.org/techniques/T1078/004/" |
| 113 | + |
| 114 | + |
| 115 | + |
| 116 | +[rule.threat.tactic] |
| 117 | +id = "TA0001" |
| 118 | +name = "Initial Access" |
| 119 | +reference = "https://attack.mitre.org/tactics/TA0001/" |
| 120 | + |
0 commit comments