AWS User Login Profile Was Modified
Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
Sigma rule (View on GitHub)
1title: AWS User Login Profile Was Modified
2id: 055fb148-60f8-462d-ad16-26926ce050f1
3status: test
4description: |
5 Detects activity when someone is changing passwords on behalf of other users.
6 An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
7references:
8 - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
9author: toffeebr33k
10date: 2021-08-09
11modified: 2024-04-26
12tags:
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.t1098
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 eventSource: 'iam.amazonaws.com'
22 eventName: 'UpdateLoginProfile'
23 filter_main_user_identity:
24 userIdentity.arn|fieldref: requestParameters.userName
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Legitimate user account administration
28level: high
References
-
A centralized source of all AWS IAM privilege escalation methods released by Rhino Security Labs. - RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys