GetSessionToken
Event
Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Stealing application access tokens allows adversaries to impersonate applications and access resources on behalf of legitimate service principals.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access Privilege Escalation
Techniques:
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...
- T1528 — Steal Application Access Token — Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-b...