UnauthorizedAccess Followed By Create User
Overview
This detector reports an issue when an IAM user
that has an UnauthorizedAccess
finding in AWS Security Hub
creates a new IAM user.
If an attacker compromises an existing IAM user, they might create additional users as a next step to establish persistence in your AWS account. This detector is intended to identify this pattern.
Technical details:
UnauthorizedAccessfindings in Security Hub are generated by Amazon GuardDuty based on GuardDuty's analysis of events from CloudTrail- Multiple successful console logins from different geographic locations around the same time
- Use of temporary credentials for an EC2 instance from external IP addresses
- API calls from known malicious IP addresses
- API calls from exit nodes of the Tor, anonymous routing network
- Other patterns that may be detected by GuardDuty (including Machine Learning analysis of CloudTrail events)
- The creation of a new IAM user is identified by detecting
CreateUserevents from CloudTrail.
This detector monitors AWS Security Hub for UnauthorizedAccess findings related to an IAM user, followed by CreateUser.
Vendor
AWS
Severity
4