New AWS account seen assuming a role into AWS account

cloudtrail

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1199-trusted-relationship

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an attacker accesses your AWS account from their AWS Account.

Strategy

This rule lets you monitor AssumeRole (@evt.name:AssumeRole) CloudTrail API calls to detect when an external AWS account (@userIdentity.accountId) assumes a role into your AWS account (account). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.

Triage and response

  1. Determine if the @userIdentity.accountId is an AWS account is managed by your company.
  2. If not, try to determine who is the owner of the AWS account.
  3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.

Changelog

7 April 2022 - Updated rule query and signal message.

PREVIEWING: may/unit-testing