Skip to content

Create a Login Profile on an IAM User

Platform: AWS

MITRE ATT&CK Tactics

  • Persistence
  • Privilege Escalation

Description

Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM user intended to be used programmatically through the AWS console usual login process.

Warm-up:

  • Create an IAM user

Detonation:

  • Create an IAM Login Profile on the user

References: - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/

Instructions

Detonate with Stratus Red Team
stratus detonate aws.persistence.iam-create-user-login-profile

Detection

Through CloudTrail's CreateLoginProfile or UpdateLoginProfile events.

In particular, it's suspicious when these events occur on IAM users intended to be used programmatically.