Create an administrative IAM User

Platform: AWS

MITRE ATT&CK Tactics

• Persistence
• Privilege Escalation

Description

Establishes persistence by creating a new IAM user with administrative permissions.

Warm-up: None.

Detonation:

• Create the IAM user and attach the 'AdministratorAccess' managed IAM policy to it.

References:

• https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
• https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/
• https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
• https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/

Instructions

Detonate with Stratus Red Team

stratus detonate aws.persistence.iam-create-admin-user

Detection

Through CloudTrail's CreateUser, AttachUserPolicy and CreateAccessKey events.

While matching on these events may be impractical and prone to false positives in most environments, the following can help to craft more precise detections:

• Identify a call to CreateUser closely followed by AttachUserPolicy with an administrator policy.

• Identify a call to CreateUser resulting in an access denied error.