Techniques
Sample rules
AWS IAM Backdoor Users Keys
- source: sigma
- technicques:
- t1098
Description
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
Detection logic
condition: selection_source and not filter
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
selection_source:
eventName: CreateAccessKey
eventSource: iam.amazonaws.com