Okta temporary AWS credentials granted using open source tooling

Classification:

attack

Tactic:

Technique:

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when the open source CLI tool, gimme-aws-creds, is used to obtain temporary Okta user credentials to AWS.

This rule monitors for successful application authentication event, user.authentication.sso, events when the user agent includes gimme-aws-creds.

When the activity is from a new device or suspicious origin, the severity is increased.

Review the sign-on details for {{@usr.email}} and confirm if the user normally uses this tooling to access AWS. The field {{@target.displayName}} will include the name of the AWS application instance which was authenticated to through the tooling.
Check whether the geolocation and source IP {{@network.client.ip}} match expected locations, travel, or corporate VPN patterns.
Examine subsequent AWS actions within CloudTrail logs from the same user after obtaining credentials.
If the access event is unexpected or resulted in suspicious activities, initiate your incident response plan.