AWS Account Login Profile Update
An AWS account's login profile has been modified, potentially indicating account compromise, privilege escalation, or malicious user activity.
The UpdateLoginProfile API call in AWS allows modification of a user's password and password reset requirements. While legitimate administrator activity can trigger this event, it's also a potential indicator of malicious behavior. An attacker with compromised credentials or an insider threat could use this API call to change a user's password, lock them out of their account, and potentially escalate privileges or maintain persistence within the AWS environment. This activity is particularly concerning if MFA is not enforced, or if the user in question has elevated permissions.
Attack Chain
- An attacker gains initial access to an AWS account through compromised credentials, phishing, or other means.
- The attacker enumerates existing IAM users to identify potential targets for account takeover.
- The attacker calls the
UpdateLoginProfileAPI, targeting a specific IAM user. - The attacker sets a new password for the targeted IAM user.
- The attacker may optionally require the user to reset their password on the next login.
- If successful, the attacker can now log in as the targeted user.
- The attacker leverages the compromised account to access sensitive resources, launch attacks, or exfiltrate data.
Impact
Successful exploitation could lead to unauthorized access to AWS resources, data breaches, privilege escalation, and disruption of services. The impact is dependent on the permissions associated with the compromised IAM user.
Recommendation
- Monitor AWS CloudTrail logs for
UpdateLoginProfileevents and deploy the Sigma rules to identify suspicious activity. - Investigate any instances of
UpdateLoginProfileevents that do not originate from authorized administrators (see rules). - Enforce multi-factor authentication (MFA) for all IAM users to mitigate the risk of credential compromise.
- Implement strong password policies and regularly rotate passwords to reduce the effectiveness of brute-force attacks.
- Review IAM user permissions and follow the principle of least privilege to minimize the impact of potential account compromise.
Detection coverage 3
Detect AWS UpdateLoginProfile from Unusual Source IP
mediumDetects UpdateLoginProfile calls from source IPs not usually associated with administrative activity.
Detect AWS UpdateLoginProfile without MFA
highDetects UpdateLoginProfile calls where MFA was not used for authentication.
Detect AWS UpdateLoginProfile by a new or infrequent user
mediumDetects UpdateLoginProfile calls made by a previously unseen or infrequent user account
Detection queries are available on the platform. Get full rules →