Create an administrative IAM User
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
- Privilege Escalation
Description
Establishes persistence by creating a new IAM user with administrative permissions.
Warm-up: None.
Detonation:
- Create the IAM user and attach the 'AdministratorAccess' managed IAM policy to it.
Instructions
Detection
Through CloudTrail's CreateUser
, AttachUserPolicy
and CreateAccessKey
events.
While matching on these events may be impractical and prone to false positives in most environments, the following can help to craft more precise detections:
-
Identify a call to
CreateUser
closely followed byAttachUserPolicy
with an administrator policy. -
Identify a call to
CreateUser
resulting in an access denied error.