Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

AWS IAM Backdoor Users Keys

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
falokerCreated Wed Feb 12Updated Sun Oct 090a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2cloud
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic2 selectors
detection:
    selection_source:
        eventSource: iam.amazonaws.com
        eventName: CreateAccessKey
    filter:
        userIdentity.arn|contains: responseElements.accessKey.userName
    condition: selection_source and not filter
False Positives

Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)

AWS API keys legitimate exchange workflows

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
Status
test
Level
medium
Type
Detection
Created
Wed Feb 12
Modified
Sun Oct 09
Author
faloker
Path
rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.t1098
View on GitHub