Skip to content

Commit 9b2474d

Browse files
imays11imays11
committed
[New Rule] AWS STS Role Chaining
Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API. While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges. Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration. This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.
1 parent be656ae commit 9b2474d

File tree

1 file changed

+94
-0
lines changed

1 file changed

+94
-0
lines changed

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
[metadata]
2+
creation_date = "2024/10/23"
3+
integration = ["aws"]
4+
maturity = "production"
5+
updated_date = "2024/10/23"
6+
7+
[rule]
8+
author = ["Elastic"]
9+
description = """
10+
Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
11+
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
12+
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
13+
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.
14+
"""
15+
false_positives = [
16+
"""
17+
Role chaining can be used as an access control. Ensure that this behavior is not part of a legitimate operation before taking action.
18+
""",
19+
]
20+
from = "now-6m"
21+
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22+
language = "esql"
23+
license = "Elastic License v2"
24+
name = "AWS STS Role Chaining"
25+
note = """## Setup
26+
27+
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28+
references = [
29+
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts",
30+
"https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials",
31+
"https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/",
32+
]
33+
risk_score = 47
34+
rule_id = "ba5a0b0c-b477-4729-a3dc-0147c2049cf1"
35+
severity = "medium"
36+
tags = [
37+
"Domain: Cloud",
38+
"Data Source: AWS",
39+
"Data Source: Amazon Web Services",
40+
"Data Source: AWS STS",
41+
"Use Case: Threat Detection",
42+
"Tactic: Persistence",
43+
"Tactic: Privilege Escalation",
44+
"Tactic: Lateral Movement",
45+
]
46+
timestamp_override = "event.ingested"
47+
type = "esql"
48+
49+
query = '''
50+
from logs-aws.cloudtrail-*
51+
52+
// filter for AssumeRole API calls where access key id is a short term token beginning with ASIA
53+
| where event.dataset == "aws.cloudtrail" and event.provider == "sts.amazonaws.com" and event.action == "AssumeRole" and aws.cloudtrail.resources.account_id == aws.cloudtrail.recipient_account_id and aws.cloudtrail.user_identity.access_key_id like "ASIA*"
54+
55+
// keep only the relevant fields
56+
| keep aws.cloudtrail.user_identity.arn, cloud.region, aws.cloudtrail.resources.account_id, aws.cloudtrail.recipient_account_id, aws.cloudtrail.user_identity.access_key_id
57+
'''
58+
59+
60+
[[rule.threat]]
61+
framework = "MITRE ATT&CK"
62+
[[rule.threat.technique]]
63+
id = "T1548"
64+
name = "Abuse Elevation Control Mechanism"
65+
reference = "https://attack.mitre.org/techniques/T1548/"
66+
67+
68+
[rule.threat.tactic]
69+
id = "TA0004"
70+
name = "Privilege Escalation"
71+
reference = "https://attack.mitre.org/tactics/TA0004/"
72+
[[rule.threat]]
73+
framework = "MITRE ATT&CK"
74+
[[rule.threat.technique]]
75+
id = "T1550"
76+
name = "Use Alternate Authentication Material"
77+
reference = "https://attack.mitre.org/techniques/T1550/"
78+
[[rule.threat.technique.subtechnique]]
79+
id = "T1550.001"
80+
name = "Application Access Token"
81+
reference = "https://attack.mitre.org/techniques/T1550/001/"
82+
83+
84+
[rule.threat.tactic]
85+
id = "TA0008"
86+
name = "Lateral Movement"
87+
reference = "https://attack.mitre.org/tactics/TA0008/"
88+
[[rule.threat]]
89+
framework = "MITRE ATT&CK"
90+
91+
[rule.threat.tactic]
92+
id = "TA0003"
93+
name = "Persistence"
94+
reference = "https://attack.mitre.org/tactics/TA0003/"

0 commit comments

Comments
 (0)