AWS API calls indicating retrieval of AWS sign-in token
Description
AlphaSOC detected the unexpected retrieval of an AWS sign-in token via the
GetSigninToken
action. Malicious actors can exploit this AWS console API to
generate interim federated access credentials. This technique allows attackers
to mask the identity of the initially compromised access key while enabling them
to transition from command-line interface operations to browser-based console
sessions. The process bypasses multi-factor authentication requirements by
utilizing the newly issued access credentials.
Impact
This activity enables attackers to maintain persistent access to AWS resources while evading detection and bypassing MFA controls. Malicious actors can seamlessly switch between CLI and console access, making it harder to track their activities and potentially leading to unauthorized access, data breaches, and compromise of critical cloud infrastructure.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review AWS CloudTrail logs to investigate the context of the GetSigninToken
action. Verify whether the action was authorized and performed by a legitimate
user. If unauthorized, revoke active sessions (if possible) or update AWS IAM
policies to limit privileges, and prevent new sessions from being created.
Additionally, rotate any potentially compromised credentials and assess the
extent of potential damage.