AWS Suspect Login Profile Manipulation
Detection overview
Triggers
- A source AWS account modifies the login profile of a target account, following which the target account accesses the AWS console.
Possible Root Causes
- An attacker is enabling access to the console for credentials they have access to, to further their attack.
- An administrator has enabled console access for another user within the environment.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Login Profile Manipulation
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Login Profile Manipulation
Example scenarios
AWS Suspect Login Profile Manipulation
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Login Profile Manipulation
Steps to investigate
AWS Suspect Login Profile Manipulation
Related detections
No items found.