STS Get Caller Identity¶
| Platform | Author | Last Update |
|---|---|---|
| aws | Nick Jones | 2023-07-01 |
An adversary may attempt to verify their current identity with the credentials they hold. This could both be to verify that the credentials they hold are valid, and to get more information on their current identity for reconnaissance purposes.
MITRE IDs¶
Required Permissions¶
- sts:GetCallerIdentity
Required Parameters¶
None
Attacker Action¶
aws sts get-caller-identity
Detection Case¶
ELK query¶
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:GetCallerIdentity AND eventSource:*.sts.amazonaws.com
Sigma Definition¶
---
title: STS Get Caller Identity
id: b96b69c7-b1d2-44a3-9c53-f419233cac95
status: experimental
author: Nick Jones
date: 2023-07-01
description: An adversary may attempt to verify their current identity with the credentials they hold. This could both be to verify that the credentials they hold are valid, and to get more information on their current identity for reconnaissance purposes.
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: "*.sts.amazonaws.com"
events:
- eventName: "GetCallerIdentity"
condition: selection_source AND events
level: low
tags:
- attack.T1087.004