Full Report
Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.
Analysis Summary
# Tool/Technique: Console Conceal
## Overview
Console Conceal is a technique used by attackers in AWS environments to obscure the original compromised credentials (the initial foothold) by leveraging the default behavior of AWS CloudTrail logging for actions performed through the AWS Console under an assumed role, in instances where enhanced session traceability features like `SourceIdentity` are not enabled.
## Technical Details
- Type: Technique
- Platform: AWS (Amazon Web Services)
- Capabilities: Obscuring traceability from an assumed role back to the compromised permanent access key via manipulating CloudTrail logging mechanisms related to role session naming in the Console.
- First Seen: Unspecified (Recently uncovered by the research team mentioned in the article).
## MITRE ATT&CK Mapping
Since this is a specific technique related to auditing/logging manipulation and identity obfuscation in AWS, the primary mapping relates to defensive evasion and identity manipulation.
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (The logging output is manipulated to obscure identity)
- **TA0006 - Credential Access** (The premise relies on attackers having already gained access to initial credentials)
- **TA0003 - Persistence** (The goal is to maintain prolonged operations by hiding activity)
Note: A direct, perfectly fitting technique for *CloudTrail log manipulation for role session obfuscation* might not be explicitly named or might fall under a broader category depending on the exact ATT&CK version and scope used.
## Functionality
### Core Capabilities
* **Identity Obfuscation:** When an attacker uses a compromised permanent access key to assume a role, and then performs subsequent actions via the AWS Console, CloudTrail logs for those actions often do not directly link back to the original `AssumeRole` event using the temporary access key in the user identity record, complicating attribution.
* **Session Name Manipulation:** Attackers exploit the fact that the `roleSessionName` provided during an `AssumeRole` call is treated as free-form, unverified metadata, which becomes visible in subsequent `userIdentity` logs of actions performed under that temporary session.
### Advanced Features
* **Decoupling Logs:** The technique relies on the difference between how CLI/SDK assume role actions are logged versus Console-based assume role actions, where the former provides full traceability via two linked records (the `AssumeRole` event and the subsequent action event), which the Console exploit breaks.
* **Heuristic Recovery:** While the technique hides the initial credential, the article later describes a heuristic recovery method using three fields in the post-assumed-role CloudTrail events (`sessionContext`, `userName`, `principalId`) to link back to the original `AssumeRole` event, which can then be correlated with `ConsoleLogin` events to find the source IP.
## Indicators of Compromise
This technique is behavioral and configuration-dependent, thus IOCs center on detection markers rather than specific malware hashes.
- File Hashes: N/A (Technique description)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
* CloudTrail logs showing an action performed under an assumed role where the `userIdentity` elements (e.g., `sessionContext.sessionIssuer.userName` being the role name, and `principalId` correlation) do not cleanly map back to a preceding `AssumeRole` event in a way that aligns with expected non-console traceability.
* Actions recorded under an assumed role where the session name chosen by the attacker does not logically match the principal associated with the session or has been arbitrarily set to mimic another user (e.g., setting session name to '[email protected]').
## Associated Threat Actors
The article describes a fictional attacker named "Eve" using the technique to hide the activity of the initially compromised user "Alice." This suggests any actor gaining unauthorized AWS credentials and aiming for persistence or denial/deception could use this.
## Detection Methods
Detection focuses on identifying the breakdown or inconsistency in the expected CloudTrail role chaining/attribution.
- Signature-based detection: Applicable if specific role session names are flagged or if known C2 patterns are observed, but less effective against the core concealment mechanism.
- Behavioral detection: Monitoring for activity where temporary session principals are used without clear, correlating upstream `AssumeRole` events that satisfy full traceability requirements.
- YARA rules: N/A
- **Heuristic Recovery (as described):** Correlating three key fields in the resulting CloudTrail events (`sessionContext`, `userName`, `principalId`) against the request parameters of a preceding `AssumeRole` event, and further linking to `ConsoleLogin` events to identify the source IP address.
## Mitigation Strategies
Prevention centers on enabling AWS enhanced security features.
- Prevention measures:
* **Enable Enhanced Session Traceability:** Mandate the use of the `SourceIdentity` parameter during all `AssumeRole` calls. This parameter is explicitly logged and directly attributes actions taken under the assumed role back to the source principal, neutralizing the Console Conceal technique.
- Hardening recommendations:
* Review and enforce best practices for role assumption across the organization, ensuring client applications (including those running the Console) are configured to populate non-default session context fields where possible.
## Related Tools/Techniques
- **AWS SourceIdentity:** The primary feature designed to prevent or mitigate this technique.
- **IAM Role Assumption:** The foundational AWS mechanism exploited by this technique.
- **AWS CloudTrail:** The logging service whose default behavior is leveraged for concealment.