AWS IAM UpdateLoginProfile Privilege Escalation
A user updating another user's login profile in AWS CloudTrail, potentially indicating privilege escalation.
This analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change (actor.user.uid) is different from the user whose profile is being updated (actor.user.account.uid). This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment. This detection uses Amazon Security Lake as the log source.
Attack Chain
- An attacker gains initial access to an AWS account through compromised credentials or other means (not specified in source).
- The attacker enumerates existing IAM users and their assigned permissions within the AWS environment.
- The attacker identifies a target user account whose login profile they want to modify.
- The attacker executes the
UpdateLoginProfileAPI call using their compromised credentials. This call modifies the password or other login-related attributes of the target user. - The AWS CloudTrail logs record the
UpdateLoginProfileevent, capturing details such as the actor's user ID (actor.user.uid), the target user's account ID (actor.user.account.uid), and the source IP address (src_endpoint.ip). - The attacker leverages the modified login profile to gain access to the target user account.
- With access to the target account, the attacker performs actions based on the permissions associated with that account, potentially escalating privileges or accessing sensitive resources.
Impact
Successful exploitation allows an attacker to escalate their privileges within the AWS environment. This can lead to unauthorized access to sensitive data, modification of critical configurations, and potentially complete control over the AWS account. The blast radius depends on the permissions of the compromised accounts.
Recommendation
- Deploy the Sigma rule
AWS IAM UpdateLoginProfile Anomalyto detect when a user updates the login profile of another user and tune for your environment. - Investigate any alerts generated by the Sigma rule, focusing on instances where the
actor.user.uiddiffers from theactor.user.account.uid. - Review the AWS IAM policies and roles to identify and remediate any overly permissive configurations that could facilitate privilege escalation.
- Monitor AWS CloudTrail logs for any unusual or unauthorized API calls related to IAM user management, using
ASL AWS CloudTraildata source.
Detection coverage 2
AWS IAM UpdateLoginProfile Anomaly
highDetects when a user updates the login profile of another user in AWS CloudTrail, potentially indicating privilege escalation.
ASL AWS UpdateLoginProfile
mediumThe following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user.
Detection queries are available on the platform. Get full rules →