Skip to content

Hide Navigation Hide TOC

AWS Console GetSigninToken Potential Abuse (f8103686-e3e8-46f3-be72-65f7fcb4aa53)

Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

Cluster A Galaxy A Cluster B Galaxy B Level
AWS Console GetSigninToken Potential Abuse (f8103686-e3e8-46f3-be72-65f7fcb4aa53) Sigma-Rules Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern 1
AWS Console GetSigninToken Potential Abuse (f8103686-e3e8-46f3-be72-65f7fcb4aa53) Sigma-Rules Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 1
Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 2