Detectionmediumtest

AWS Console GetSigninToken Potential Abuse

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Chester Le BronCreated Mon Feb 26f8103686-e3e8-46f3-be72-65f7fcb4aa53cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: 'signin.amazonaws.com'
        eventName: 'GetSigninToken'
    filter_main_console_ua:
        userAgent|contains: 'Jersey/${project.version}'
    condition: selection and not 1 of filter_main_*

False Positives

GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.

References

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement TA0005 · Defense Evasion

Sub-techniques

T1021.007 · Cloud Services T1550.001 · Application Access Token

Rule Metadata

Rule ID