Skip to content

[New Rule] AWS AssumeRoleWithWebIdentity from unusual source ASN#5903

Closed
terrancedejesus wants to merge 1 commit intomainfrom
feature/sts-assume-role-web-identity-new-source-asn
Closed

[New Rule] AWS AssumeRoleWithWebIdentity from unusual source ASN#5903
terrancedejesus wants to merge 1 commit intomainfrom
feature/sts-assume-role-web-identity-new-source-asn

Conversation

@terrancedejesus
Copy link
Copy Markdown
Contributor

@terrancedejesus terrancedejesus commented Mar 31, 2026
edited
Loading

Summary

Adds AWS STS AssumeRole with Web Identity from Unusual ASN (initial_access_sts_assume_role_web_identity_new_source_asn.toml), a New Terms rule on successful AssumeRoleWithWebIdentity when aws.cloudtrail.resources.arn + source.as.number appear together for the first time within the history window (now-10d lookback, now-6m rule interval). Requires ASN enrichment (source.as.number) and populated role resource ARN.

Threat

  • Valid cloud accounts / alternate auth material (MITRE T1078.004, T1550.001): reuse of OIDC or web-identity federation where a JWT or equivalent token is exercised from networks you have not previously seen for that same target IAM role (e.g. VPN, VPS, or replay off normal CI egress).
  • Complements static-key and tooling-specific detections after supply-chain or credential theft (see references).

Gap addressed

Existing rules cover AssumeRole (IAM user/service patterns), role chaining, MFA device novelties, and OIDC provider creation, but not first-time federation ASN surface per assumed role for web identity. This targets post-exfil replay where API calls still succeed and egress ASN diverges from the org’s learned CI/IdP baseline.

Limits

  • In-runner-only abuse (same ASN as legitimate jobs) is not the primary signal; pair with behavioral enumeration rules.
  • False positives: new runner regions, VPN/proxy shifts, GeoIP/ASN updates, new roles without history. tune allowlists and window as needed.

References

@terrancedejesus
Add New Terms rule for AssumeRoleWithWebIdentity with novel source ASN
8a7fa51 
- Detect first-seen pairing of assumed role ARN (aws.cloudtrail.resources.arn)
  and source.as.number on successful AssumeRoleWithWebIdentity
- Investigation guide aligned with Azure-style triage sections; add Identity domain tag
- Refs: AWS STS web identity API, IAM OIDC guide, Kudelski Trivy supply-chain analysis

Rule ID: 9f8c2532-b959-4915-876a-5f4b80eefd31

Made-with: Cursor
@terrancedejesus terrancedejesus requested a review from imays11 March 31, 2026 15:58
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@terrancedejesus terrancedejesus changed the title AWS: New Terms — AssumeRoleWithWebIdentity from unusual source ASN [New Rule] AWS AssumeRoleWithWebIdentity from unusual source ASN Mar 31, 2026
terrancedejesus
terrancedejesus commented Mar 31, 2026
View reviewed changes
Comment thread rules/integrations/aws/initial_access_sts_assume_role_web_identity_new_source_asn.toml
"""
New CI regions, new self-hosted runners, corporate network changes, or cloud provider expansions can introduce a
first-seen ASN for a federated role. Geolocation and ASN enrichment gaps may also suppress or skew results. Tune
with exceptions on `aws.cloudtrail.resources.arn`, `source.as.organization.name`, or expected ASNs; extend the
Copy link
Copy Markdown
Contributor Author

@terrancedejesus terrancedejesus Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
with exceptions on `aws.cloudtrail.resources.arn`, `source.as.organization.name`, or expected ASNs; extend the
with exceptions on `user.id`, `source.as.organization.name`, or expected ASNs; extend the

terrancedejesus
terrancedejesus commented Mar 31, 2026
View reviewed changes
Comment thread rules/integrations/aws/initial_access_sts_assume_role_web_identity_new_source_asn.toml

[rule.new_terms]
field = "new_terms_fields"
value = ["aws.cloudtrail.resources.arn", "source.as.number"]
Copy link
Copy Markdown
Contributor Author

@terrancedejesus terrancedejesus Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
value = ["aws.cloudtrail.resources.arn", "source.as.number"]
value = ["user.id", "source.as.number"]

@terrancedejesus
Copy link
Copy Markdown
Contributor Author

terrancedejesus commented Apr 1, 2026

Closing this pull request. Choosing not to ship detection as it strays from the main behaviors reported for TeamPCP in that long-term creds were used for post compromise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imays11 imays11 Awaiting requested review from imays11

Assignees

No one assigned

Labels

Domain: Cloud Domain: Identity Integration: AWS AWS related rules Rule: New Proposal for new rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@terrancedejesus