AWS Suspect Login Profile Manipulation

AWS Suspect Login Profile Manipulation

Detection overview

Triggers

  • A source AWS account modifies the login profile of a target account, following which the target account accesses the AWS console.

Possible Root Causes

  • An attacker is enabling access to the console for credentials they have access to, to further their attack.
  • An administrator has enabled console access for another user within the environment.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Login Profile Manipulation

Possible root causes

Malicious Detection

Benign Detection

AWS Suspect Login Profile Manipulation

Example scenarios

AWS Suspect Login Profile Manipulation

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS Suspect Login Profile Manipulation

Steps to investigate

AWS Suspect Login Profile Manipulation

MITRE ATT&CK techniques covered

AWS Suspect Login Profile Manipulation

Related detections

No items found.

FAQs