Password recovery request completed

cloudtrail

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an API request to reset the password of the root user is made from a suspicious IP address.

Strategy

Monitor CloudTrail logs to detect the API call PasswordRecoveryCompleted from a suspicious IP address. This indicates that the root user password was reset.

Triage and response

  1. Determine if the request to reset the root user password should have been made.
  2. If not, investigate the action performed by {{@userIdentity.arn}} for indicators of account compromise, and rotate credentials if necessary.