Skip to content

STS Get Caller Identity

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to verify their current identity with the credentials they hold. This could both be to verify that the credentials they hold are valid, and to get more information on their current identity for reconnaissance purposes.

MITRE IDs

Required Permissions

  • sts:GetCallerIdentity

Required Parameters

None

Attacker Action

aws sts get-caller-identity

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:GetCallerIdentity AND eventSource:*.sts.amazonaws.com  

Sigma Definition

---
title: STS Get Caller Identity
id: b96b69c7-b1d2-44a3-9c53-f419233cac95
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to verify their current identity with the credentials they hold. This could both be to verify that the credentials they hold are valid, and to get more information on their current identity for reconnaissance purposes.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "*.sts.amazonaws.com"
  events:
    - eventName: "GetCallerIdentity"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089