Delete aws_update_login_profile.yml
This commit is contained in:
toffeebr33k
@@ -1,29 +0,0 @@
|
||||
title: Updating the Login Profile of other users on AWS
|
||||
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
|
||||
status: experimental
|
||||
description: An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.
|
||||
author: toffeebr33k
|
||||
date: 2020/11/21
|
||||
references:
|
||||
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
|
||||
logsource:
|
||||
service: cloudtrail
|
||||
detection:
|
||||
selection_source:
|
||||
- eventSource: iam.amazonaws.com
|
||||
selection_eventname:
|
||||
- eventName: UpdateLoginProfile
|
||||
filter:
|
||||
userIdentity.arn|contains: responseElements.accessKey.userName
|
||||
condition: all of selection* and not filter
|
||||
fields:
|
||||
- userIdentity.arn
|
||||
- responseElements.accessKey.userName
|
||||
- errorCode
|
||||
- errorMessage
|
||||
falsepositives:
|
||||
- Legit User Account Administration
|
||||
level: medium
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1098
|
||||
Reference in New Issue
Block a user