We look at AWS IAM events to determine if an attacker gained unauthorized or persistent access to a cloud region by creating a new cloud user.
After an attacker gains unauthorized access to an cloud environment, one of their objectives is to establish persistent access to the environment. A common technique to maintain persistence to the cloud is to create a new user. For example, an Adversary creates a cloud user account within AWS/Azure that provides them access to key resources to maintain persistence or to grant further access in the future.
Phase: Production
Supported vendors:
- Amazon Web Services (AWS)
- Microsoft Azure
Comments
0 comments
Please sign in to leave a comment.