Password recovery request completed

cloudtrail

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an API request to reset the password of the root user is made from a suspicious IP address.

Strategy

Monitor CloudTrail logs to detect the API call PasswordRecoveryCompleted from a suspicious IP address. This indicates that the root user password was reset.

Triage and response

  1. Determine if the request to reset the root user password should have been made.
  2. If not, investigate the action performed by {{@userIdentity.arn}} for indicators of account compromise, and rotate credentials if necessary.