Create a Login Profile on an IAM User
Platform: AWS
MITRE ATT&CK Tactics
- Persistence
- Privilege Escalation
Description
Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM user intended to be used programmatically through the AWS console usual login process.
Warm-up:
- Create an IAM user
Detonation:
- Create an IAM Login Profile on the user
References: - https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/ - https://blog.darklab.hk/2021/07/06/trouble-in-paradise/ - https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
Instructions
Detection
Through CloudTrail's CreateLoginProfile
or UpdateLoginProfile
events.
In particular, it's suspicious when these events occur on IAM users intended to be used programmatically.