Create a Login Profile on an IAM User
MITRE ATT&CK Tactics
- Privilege Escalation
Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM user intended to be used programmatically through the AWS console usual login process.
- Create an IAM user
- Create an IAM Login Profile on the user
References: - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
In particular, it's suspicious when these events occur on IAM users intended to be used programmatically.