---
title: Possible privilege escalation via AWS login profile manipulation
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Possible privilege escalation via AWS
  login profile manipulation
---

# Possible privilege escalation via AWS login profile manipulation
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect a user or role attempting to create or update the password for a specified IAM user.

## Strategy{% #strategy %}

This rule allows you to monitor CloudTrail and detect if an attacker has attempted to create or update a password for an IAM user using the [`CreateLoginProfile`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html) or [`UpdateLoginProfile`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html) API calls respectively.

## Triage and response{% #triage-and-response %}

1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.
1. If the API call was not made by the user:

- Rotate user credentials.
- Determine what other API calls were made by the user.
- Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html) or use the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console).
If the API call was made by the user:
- Determine if the user should be performing this API call.
- If No, see if other API calls were made by the user and determine if they warrant further investigation.

## ChangeLog{% #changelog %}

27 June 2023 - Updated rule query, name, case, goal and strategy to reflect login profile creation and login profile update.