Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when usage of the AWS Consoler tool is seen in AWS CloudTrail logs, which could indicate that the associated AWS credentials were compromised and used to pivot to the AWS console.

Strategy

This rule monitors AWS CloudTrail logs for the GetFederationToken API call with the parameter aws_consoler. AWS Consoler is a tool that converts long-lived AWS access keys into AWS console access, by generating a sign-in URL. While this tool can be used legitimately by your teams, it may also be used by attackers to gain access to your console.

Triage and response

1. Determine if your organization is using the AWS consoler tool.
2. If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
   • If appropriate, disable or rotate the affected credential.
   • Investigate any actions taken by the identity {{@userIdentity.arn}}.
   • Work with the relevant teams to remove the key from any source code repositories.