Elastic Security Detection Rules

AWS STS AssumeRoot by Rare User and Member Account

Last updated a month ago on 2024-11-24
Created a month ago on 2024-11-24

About

Identifies when the STS `AssumeRoot` action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when the STS `AssumeRoot` action is performed by a user that rarely assumes this role and specific member account.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS STSUse Case: Identity and Access AuditTactic: Privilege Escalation
Severity
low
Risk Score
21
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Account Manipulation (T1098)(opens in a new tab or window)

False Positive Examples
AWS administrators or automated processes might regularly assume root for legitimate administrative purposes.AWS services might assume root to access AWS resources as part of their standard operations.Automated workflows might assume root to perform periodic administrative tasks.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "AssumeRoot"
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS STS AssumeRoot by Rare User and Member Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).