AWS IAM Backdoor Users Keys
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
Sigma rule (View on GitHub)
1title: AWS IAM Backdoor Users Keys
2id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
3status: test
4description: |
5 Detects AWS API key creation for a user by another user.
6 Backdoored users can be used to obtain persistence in the AWS environment.
7 Also with this alert, you can detect a flow of AWS keys in your org.
8references:
9 - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
10author: faloker
11date: 2020/02/12
12modified: 2022/10/09
13tags:
14 - attack.persistence
15 - attack.t1098
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection_source:
21 eventSource: iam.amazonaws.com
22 eventName: CreateAccessKey
23 filter:
24 userIdentity.arn|contains: responseElements.accessKey.userName
25 condition: selection_source and not filter
26fields:
27 - userIdentity.arn
28 - responseElements.accessKey.userName
29 - errorCode
30 - errorMessage
31falsepositives:
32 - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
33 - AWS API keys legitimate exchange workflows
34level: medium
References
-
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu
Read More
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- AWS User Login Profile Was Modified
- Change to Authentication Method
- Google Workspace Granted Domain API Access