Create a Login Profile on an IAM User
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
- Privilege Escalation
Description
Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM user intended to be used programmatically through the AWS console usual login process.
Warm-up:
- Create an IAM user
Detonation:
- Create an IAM Login Profile on the user
Instructions
Detection
Through CloudTrail's CreateLoginProfile
or UpdateLoginProfile
events.
In particular, it's suspicious when these events occur on IAM users intended to be used programmatically.