AWS STS GetSessionToken Usage

Status: production
Kind: building block (feeds higher-level correlation rules; not a standalone alert)
Severity: low
Time window: 6m
Author: Austin Songer, Elastic
Source: github.com/elastic/detection-rules

Identifies the use of GetSessionToken API calls by IAM users or Root Account. While this is a common and legitimate operation used to obtain temporary credentials, it also provides adversaries with a method to generate short-lived tokens for stealthy activity. Attackers who compromise IAM user access keys may call GetSessionToken to create temporary credentials, which they can then use to move laterally, escalate privileges, or persist after key rotation. This rule is intended as a BBR to establish patterns of typical STS usage and support correlation with higher-fidelity detections.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1078.004` Valid Accounts: Cloud Accounts, `T1548` Abuse Elevation Control Mechanism
Stealth	`T1078.004` Valid Accounts: Cloud Accounts
Lateral Movement	`T1550.001` Use Alternate Authentication Material: Application Access Token

Event coverage

Provider	Event
AWS-sts	GetSessionToken

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table) (Panther)
AWS STS GetSessionToken by IAM User (Panther)
AWS STS GetSessionToken Misuse (Sigma)

Rule body elastic

[metadata]
bypass_bbr_timing = true
creation_date = "2021/05/17"
integration = ["aws"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Austin Songer", "Elastic"]
building_block_type = "default"
description = """
Identifies the use of GetSessionToken API calls by IAM users or Root Account. While this is a common and legitimate
operation used to obtain temporary credentials, it also provides adversaries with a method to generate short-lived
tokens for stealthy activity. Attackers who compromise IAM user access keys may call GetSessionToken to create temporary
credentials, which they can then use to move laterally, escalate privileges, or persist after key rotation. This rule is
intended as a BBR to establish patterns of typical STS usage and support correlation with higher-fidelity detections.
"""
false_positives = [
    """
    GetSessionToken is widely used by legitimate automation, CLI users, and administrative scripts to acquire temporary
    credentials. Frequent, authorized usage is expected in most environments, especially where IAM users authenticate
    with MFA or use short-lived tokens. Review IAM and CI/CD users, SDKs, and service accounts that regularly perform
    this action and document them in an allowlist. Suppress or tune accordingly to reduce noise.
    """,
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS STS GetSessionToken Usage"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating AWS STS GetSessionToken Usage

AWS Security Token Service (STS) provides temporary credentials for AWS resources, crucial for managing access without long-term credentials. Adversaries may exploit `GetSessionToken` to create temporary credentials, enabling lateral movement and privilege escalation. The detection rule identifies successful `GetSessionToken` requests, flagging potential misuse for further investigation.

#### Possible investigation steps
- **Establish normal baseline behavior**
  - Use this rule’s data to determine which IAM users or automation scripts routinely perform `GetSessionToken`.
  - Monitor frequency, regions, and user agents (CLI, SDK, console) for each identity over time.

- **Identify anomalies**
  - Look for first-time or rare `GetSessionToken` usage by an IAM user.
  - Detect tokens issued without MFA when MFA is normally required.
  - Identify new or unexpected source IPs, geographies, or user agents (e.g., API calls from unfamiliar networks).
  - Check for multiple temporary tokens minted in rapid succession by the same user or access key.

- **Correlate with downstream activity**
  - Search for immediate follow-on events within 15 minutes of token creation:
    - `AssumeRole` into higher-privileged roles or cross-account roles.
    - Privileged API calls (e.g., `iam:*`, `s3:PutBucketPolicy`, `ec2:CreateSnapshot`).
    - New region access, resource enumeration, or credential operations (`GetCallerIdentity`, `ListUsers`, etc.).
  - Use this correlation to elevate contextual `GetSessionToken` behavior into actionable detections.

### Usage Notes
- This rule’s telemetry can support hunting queries such as:
  - `GetSessionToken` without `TokenCode` (no MFA)
  - New IP + `GetSessionToken` + `AssumeRole`
  - Rapid token issuance followed by API activity from a new ASN

Use these patterns in combination with related BBRs or detection rules for `AssumeRole` abuse, cross-account access,
or credential pivoting for more reliable threat detection.
"""
references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"]
risk_score = 21
rule_id = "b45ab1d2-712f-4f01-a751-df3826969807"
severity = "low"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS STS",
    "Use Case: Identity and Access Audit",
    "Tactic: Privilege Escalation",
    "Tactic: Lateral Movement",
    "Resources: Investigation Guide",
    "Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset: aws.cloudtrail 
  and event.provider: sts.amazonaws.com 
  and event.action: GetSessionToken 
  and event.outcome: success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"

[[rule.threat.technique.subtechnique]]
id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"

[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
    "aws.cloudtrail.request_parameters",
    "aws.cloudtrail.response_elements",
]

Stages and Predicates

Stage 1: `query`

event.dataset: aws.cloudtrail 
  and event.provider: sts.amazonaws.com 
  and event.action: GetSessionToken 
  and event.outcome: success

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	eq	`GetSessionToken`
`event.dataset`	eq	`aws.cloudtrail`
`event.outcome`	eq	`success`
`event.provider`	eq	`sts.amazonaws.com`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

AWS STS GetSessionToken Usage

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `query`

Indicators

Keyboard shortcuts

Search operators

AWS STS GetSessionToken Usage

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: query

Indicators

Stage 1: `query`