Skip to content

Update login profile for existing user

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to maintain access by updating an existing user's login profile, allowing them to authenticate to the AWS console with a password of their choice.

MITRE IDs

Required Permissions

  • iam:UpdateLoginProfile

Required Parameters

Name Type Description Example Value
user str IAM user to update the login profile for root
password str Password to configure for login profile @#$%^&*()TestPass1234567890

Attacker Action

aws iam update-login-profile -user-name user -password password -no-password-reset-required

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:UpdateLoginProfile AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Update login profile for existing user
id: 1fd04a6c-cf1f-4169-a9aa-1fd495f99930
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to maintain access by updating an existing user's login profile, allowing them to authenticate to the AWS console with a password of their choice.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "UpdateLoginProfile"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089