Skip to content

Create an Access Key on an IAM User

Platform: AWS

MITRE ATT&CK Tactics

  • Persistence
  • Privilege Escalation

Description

Establishes persistence by creating an access key on an existing IAM user.

Warm-up:

  • Create an IAM user.

Detonation:

  • Create an IAM access key on the user.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.persistence.iam-backdoor-user

Detection

Through CloudTrail's CreateAccessKey event. This event can hardly be considered suspicious by itself, unless correlated with other indicators. '