AWS User Hijacking

AWS User Hijacking

Detection overview

Triggers

  • After enumerating users in the environment, add an access key to another user in the environment.

Possible Root Causes

  • An attacker is expanding access to additional users within the environment.
  • Authorized IT Automation is using access keys to interact on behalf of other users within the environment.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Validate that any modifications are authorized, given the purpose and policies governing this resource.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS User Hijacking

Possible root causes

Malicious Detection

Benign Detection

AWS User Hijacking

Example scenarios

AWS User Hijacking

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS User Hijacking

Steps to investigate

AWS User Hijacking

MITRE ATT&CK techniques covered

AWS User Hijacking

Related detections

No items found.

FAQs