Skip to content

Create a Login Profile on an IAM User

Platform: AWS

MITRE ATT&CK Tactics

  • Persistence
  • Privilege Escalation

Description

Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM user intended to be used programmatically through the AWS console usual login process.

Warm-up:

  • Create an IAM user

Detonation:

  • Create an IAM Login Profile on the user

Instructions

Detonate with Stratus Red Team
stratus detonate aws.persistence.iam-create-user-login-profile

Detection

Through CloudTrail's CreateLoginProfile or UpdateLoginProfile events.

In particular, it's suspicious when these events occur on IAM users intended to be used programmatically.