AWS Console GetSigninToken Event

Overview

This detector identifies suspicious "GetSigninToken" events in the AWS Console. It alerts when an attacker potentially uses tools like "aws_consoler" to create temporary federated credentials, bypassing the need for MFA. These credentials can be used to pivot from the AWS CLI to the console without the original access key, making it harder to identify the compromised credential. Investigating these events helps detect and respond to unauthorized access attempts and potential credential abuse.

Vendor

AWS

Input

{
  "expectedUserAgents": {
    "label": "Expected User Agents",
    "helpText": "List of expected user agents for GetSigninToken events. GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s).",
    "type": "string[]",
    "value": []
  }
}

References

https://github.com/NetSPI/aws_consoler, https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/

Overview​

Vendor​

Input​

References​

Severity​

Overview

Vendor

Input

References

Severity