AWS User Login Profile Was Modified
Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
Sigma rule (View on GitHub)
1title: AWS User Login Profile Was Modified
2id: 055fb148-60f8-462d-ad16-26926ce050f1
3status: test
4description: |
5 Detects activity when someone is changing passwords on behalf of other users.
6 An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
7references:
8 - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
9author: toffeebr33k
10date: 2021-08-09
11modified: 2024-04-26
12tags:
13 - attack.persistence
14 - attack.t1098
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection:
20 eventSource: 'iam.amazonaws.com'
21 eventName: 'UpdateLoginProfile'
22 filter_main_user_identity:
23 userIdentity.arn|fieldref: requestParameters.userName
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Legitimate user account administration
27level: high
References
-
A centralized source of all AWS IAM privilege escalation methods released by Rhino Security Labs. - RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys