AWS CreateLoginProfile Activity Detection
Detects the creation of AWS IAM login profiles, which can be indicative of new user creation or modifications by potentially malicious actors for privilege escalation or persistence.
This brief focuses on detecting the creation of AWS IAM login profiles. While the source material provides limited context, the action itself—creating a login profile—can be a signal of interest. Attackers may create new IAM users or modify existing ones (creating login profiles if they don't exist) to establish persistence, escalate privileges, or move laterally within an AWS environment. Defenders should monitor these activities closely, especially if they deviate from established baselines or involve suspicious actors. The aws_createloginprofile.yml file suggests a detection rule exists within Splunk's security content framework to identify this behavior. Monitoring for this event can help identify potentially malicious activity in AWS environments.
Attack Chain
- Initial Compromise: (Assumed) The attacker gains initial access to an AWS account, possibly through compromised credentials or an exposed API key (Not documented in source).
- Privilege Escalation: The attacker attempts to escalate their privileges within the AWS environment, either through exploiting misconfigurations or leveraging existing IAM roles (Not documented in source).
- IAM Manipulation: The attacker interacts with the AWS IAM service, specifically targeting user management (Observed - CreateLoginProfile).
- Create Login Profile: The attacker uses the
CreateLoginProfileAPI call to create a login profile for a new or existing IAM user. This provides the user with console access, enabling interactive login. - Persistence: The attacker leverages the newly created user with console access as a means of persistence within the AWS environment.
- Lateral Movement: The attacker uses the new or modified user to access other AWS resources or services, expanding their control within the environment.
- Data Exfiltration / Damage: (Assumed) The attacker utilizes their access to exfiltrate sensitive data or cause damage to the AWS infrastructure. (Not documented in source).
Impact
The successful creation of a login profile by a malicious actor can lead to unauthorized access to AWS resources, data breaches, and service disruption. Attackers may use these profiles to maintain persistence, escalate privileges, and move laterally within the AWS environment. The number of victims depends on the scope of the attacker's access and the sensitivity of the compromised resources.
Recommendation
- Deploy the Sigma rule for
AWS CreateLoginProfile Activityto your SIEM and tune for your environment (Reference:aws_createloginprofile.yml). - Investigate any instances of
CreateLoginProfileevents, especially those performed by unfamiliar IAM entities, to validate legitimacy. - Monitor AWS CloudTrail logs for
CreateLoginProfileevents to ensure comprehensive visibility into IAM activity. - Enforce multi-factor authentication (MFA) for all IAM users to reduce the risk of credential compromise (General Security Best Practice).
Detection coverage 2
AWS CreateLoginProfile Activity
mediumDetects the creation of an AWS IAM Login Profile, which can indicate suspicious user creation or modification.
AWS CreateLoginProfile by Root Account
highDetects CreateLoginProfile events performed by the AWS root account, which is highly unusual and often indicative of compromise.
Detection queries are available on the platform. Get full rules →