About
An attacker with access to your AWS account can create an IAM user to escalate their privileges and persist in your environment.
Understanding Impact
Business Impact
When an attacker creates an IAM user in your environment, they may continue to have access to your environment for an extended period of time even when the root cause of the breach is identified and fixed.
Technical Impact
Attackers typically attempt to create IAM users, assign them a privileged IAM policy, and generate access keys for the newly created user.
Detection
You can detect when a new IAM user is created using the CloudTrail event CreateUser.
After creating an IAM user, attackers frequently attach a policy to it (AttachUserPolicy) and create access keys (CreateAccessKey) or login profiles (CreateLoginProfile).
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.persistence.iam-create-admin-userSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS IAM privileged policy was applied to a user".
References
Create an administrative IAM User
stratus-red-team.cloud
From CLI to console, chasing an attacker in AWS
expel.com
Anatomy of an Attack: Exposed keys to Crypto Mining
permiso.io
A case study of Cloud compromise
blog.darklab.hk
M-Trends 2021 (page 73)
mandiant.com
Sample incident
pdpc.gov.sg
Hunting for signs of persistence in the cloud
wiz.io