Okta temporary AWS credentials granted using open source tooling

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects when the open source CLI tool, gimme-aws-creds, is used to obtain temporary Okta user credentials to AWS.

Strategy

This rule monitors for successful application authentication event, user.authentication.sso, events when the user agent includes gimme-aws-creds.

When the activity is from a new device or suspicious origin, the severity is increased.

Triage & Response

  • Review the sign-on details for {{@usr.email}} and confirm if the user normally uses this tooling to access AWS. The field {{@target.displayName}} will include the name of the AWS application instance which was authenticated to through the tooling.
  • Check whether the geolocation and source IP {{@network.client.ip}} match expected locations, travel, or corporate VPN patterns.
  • Examine subsequent AWS actions within CloudTrail logs from the same user after obtaining credentials.
  • If the access event is unexpected or resulted in suspicious activities, initiate your incident response plan.