Skip to content
Threat Feed
high advisory

AWS IAM UpdateLoginProfile Privilege Escalation

A user updating another user's login profile in AWS CloudTrail, potentially indicating privilege escalation.

This analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change (actor.user.uid) is different from the user whose profile is being updated (actor.user.account.uid). This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment. This detection uses Amazon Security Lake as the log source.

Attack Chain

  1. An attacker gains initial access to an AWS account through compromised credentials or other means (not specified in source).
  2. The attacker enumerates existing IAM users and their assigned permissions within the AWS environment.
  3. The attacker identifies a target user account whose login profile they want to modify.
  4. The attacker executes the UpdateLoginProfile API call using their compromised credentials. This call modifies the password or other login-related attributes of the target user.
  5. The AWS CloudTrail logs record the UpdateLoginProfile event, capturing details such as the actor's user ID (actor.user.uid), the target user's account ID (actor.user.account.uid), and the source IP address (src_endpoint.ip).
  6. The attacker leverages the modified login profile to gain access to the target user account.
  7. With access to the target account, the attacker performs actions based on the permissions associated with that account, potentially escalating privileges or accessing sensitive resources.

Impact

Successful exploitation allows an attacker to escalate their privileges within the AWS environment. This can lead to unauthorized access to sensitive data, modification of critical configurations, and potentially complete control over the AWS account. The blast radius depends on the permissions of the compromised accounts.

Recommendation

  • Deploy the Sigma rule AWS IAM UpdateLoginProfile Anomaly to detect when a user updates the login profile of another user and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on instances where the actor.user.uid differs from the actor.user.account.uid.
  • Review the AWS IAM policies and roles to identify and remediate any overly permissive configurations that could facilitate privilege escalation.
  • Monitor AWS CloudTrail logs for any unusual or unauthorized API calls related to IAM user management, using ASL AWS CloudTrail data source.

Detection coverage 2

AWS IAM UpdateLoginProfile Anomaly

high

Detects when a user updates the login profile of another user in AWS CloudTrail, potentially indicating privilege escalation.

sigma tactics: persistence, privilege_escalation techniques: T1136.003 sources: cloudtrail, aws

ASL AWS UpdateLoginProfile

medium

The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user.

sigma tactics: persistence, privilege_escalation techniques: T1136.003 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →