Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

AWS User Login Profile Was Modified

Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
toffeebr33kCreated Mon Aug 09Updated Fri Apr 26055fb148-60f8-462d-ad16-26926ce050f1cloud
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'UpdateLoginProfile'
    filter_main_user_identity:
        userIdentity.arn|fieldref: requestParameters.userName
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate user account administration

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
055fb148-60f8-462d-ad16-26926ce050f1
Status
test
Level
high
Type
Detection
Created
Mon Aug 09
Modified
Fri Apr 26
Author
toffeebr33k
Path
rules/cloud/aws/cloudtrail/aws_update_login_profile.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1098
View on GitHub