Skip to content

Create login profile for existing user

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to maintain access by adding a login profile to a user that does not have one configured, allowing them to authenticate to the AWS console with a password of their choice

MITRE IDs

Required Permissions

  • iam:CreateLoginProfile

Required Parameters

Name Type Description Example Value
user str IAM user to create the login profile for root
password str Password to configure for login profile @#$%^&*()TestPass1234567890

Attacker Action

aws iam create-login-profile -user-name user -password password -no-password-reset-required

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:CreateLoginProfile AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Create login profile for existing user
id: e367ad8f-0173-4cb3-8f1a-9b76b69b9de1
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to maintain access by adding a login profile to a user that does not have one configured, allowing them to authenticate to the AWS console with a password of their choice
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "CreateLoginProfile"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089