Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'Adversaries may generate temporary credentials of existing privileged IAM roles to access AWS resources that were not previously accessible to perform malicious actions. The credentials may be generated by trusted IAM user or via AWS Cloud Instance Metadata API. This query will look for AWS STS API Assume Role operations for RoleArn (Role Amazon Resource Names) which was not historically seen. You can also limit the query to only sensitive IAM Roles which needs to be monitored. Read more about
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Amazon Web Services |
| ID | 5b6ee21d-da53-46eb-827c-eab2a9ba3d2f |
| Tactics | InitialAccess, DefenseEvasion |
| Techniques | T1078 |
| Required Connectors | AWS, AWSS3 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AWSCloudTrail |
EventName == "AssumeRole" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊