Possible privilege escalation via AWS login profile manipulation

Docs > Datadog Security > OOTB Rules > Possible privilege escalation via AWS login profile manipulation

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Goal

Detect a user or role attempting to create or update the password for a specified IAM user.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to create or update a password for an IAM user using the CreateLoginProfile or UpdateLoginProfile API calls respectively.

Triage and response

Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
If the API call was not made by the user:

Rotate user credentials.
Determine what other API calls were made by the user.
Remove any passwords generated by the user with the aws-cli command delete-login-profile or use the AWS Console.

If the API call was made by the user:

Determine if the user should be performing this API call.
If No, see if other API calls were made by the user and determine if they warrant further investigation.

ChangeLog

27 June 2023 - Updated rule query, name, case, goal and strategy to reflect login profile creation and login profile update.