Techniques
Sample rules
AWS User Login Profile Was Modified
- source: sigma
- technicques:
- t1098
Description
Detects activity when someone is changing passwords on behalf of other users. An attacker with the “iam:UpdateLoginProfile” permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_user_identity:
userIdentity.arn|fieldref: requestParameters.userName
selection:
eventName: UpdateLoginProfile
eventSource: iam.amazonaws.com