Create an administrative IAM User
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
- Privilege Escalation
Description
Establishes persistence by creating a new IAM user with administrative permissions.
Warm-up: None.
Detonation:
- Create the IAM user and attach the 'AdministratorAccess' managed IAM policy to it.
References:
- https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
- https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
- https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
Instructions
Detection
Through CloudTrail's CreateUser
, AttachUserPolicy
and CreateAccessKey
events.
While matching on these events may be impractical and prone to false positives in most environments, the following can help to craft more precise detections:
-
Identify a call to
CreateUser
closely followed byAttachUserPolicy
with an administrator policy. -
Identify a call to
CreateUser
resulting in an access denied error.