From eef6e71e2ef222bb484602368a146412d9e62a30 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 7 Sep 2021 12:39:56 +0100 Subject: [PATCH 1/2] Update AWS Update Login Profile Rule fields Missed updating field from `responseElements.accessKey.userName` to `requestParameters.userName` on last update. --- rules/cloud/aws/aws_update_login_profile.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index 6815fe2fe..b4254d07d 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -5,7 +5,7 @@ description: | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k -date: 2021/08/09 +date: 2021/09/07 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: @@ -19,7 +19,7 @@ detection: condition: selection_source and not filter fields: - userIdentity.arn - - responseElements.accessKey.userName + - requestParameters.userName - errorCode - errorMessage falsepositives: From be5351947c3c09db92cb2d5b1ad59ae0e03e3361 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Tue, 7 Sep 2021 16:36:59 +0100 Subject: [PATCH 2/2] Unset date update Signed-off-by: Rachel Rice --- rules/cloud/aws/aws_update_login_profile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml index b4254d07d..d8468d6de 100644 --- a/rules/cloud/aws/aws_update_login_profile.yml +++ b/rules/cloud/aws/aws_update_login_profile.yml @@ -5,7 +5,7 @@ description: | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k -date: 2021/09/07 +date: 2021/08/09 references: - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation logsource: