Detection rules › Panther
AWS User API Key Created
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation, T1108 Redundant Access |
| Stealth | T1108 Redundant Access |
| Lateral Movement | T1550 Use Alternate Authentication Material |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- AWS IAM Backdoor Users Keys (Sigma)
- AWS IAM S3Browser User or AccessKey Creation (Sigma)
- AWS IAM Sensitive Operations via Lambda Execution Role (Elastic)
- AWS IAM User Created Access Keys For Another User (Elastic)
- AWS Sensitive IAM Operations Performed via CloudShell (Elastic)
- High-Risk Cross-Cloud User Impersonation (Kusto)
- IAM Access Key Created (Sigma)
- IAM Access Key Creation Attempt (Sigma)
Rule body yaml
AnalysisType: rule
Description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment.
DisplayName: "AWS User API Key Created"
Enabled: true
Filename: aws_iam_user_key_created.py
Reports:
MITRE ATT&CK:
- TA0003:T1098
- TA0005:T1108
- TA0005:T1550
- TA0008:T1550
Stratus Red Team:
- aws.persistence.iam-backdoor-user
- aws.persistence.iam-create-admin-user
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
Severity: Medium
Tests:
- ExpectedResult: false
Log:
awsRegion: us-east-1
eventCategory: Management
eventID: "12345"
eventName: CreateAccessKey
eventSource: iam.amazonaws.com
eventTime: "2022-09-27 17:09:18"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: true
readOnly: false
recipientAccountId: "123456789"
requestParameters:
userName: user1
responseElements:
accessKey:
accessKeyId: ABCDEFG
createDate: Sep 27, 2022 5:09:18 PM
status: Active
userName: user1
sourceIPAddress: cloudformation.amazonaws.com
userAgent: cloudformation.amazonaws.com
userIdentity:
accessKeyId: ABCDEFGH
accountId: "123456789"
arn: arn:aws:iam::123456789:user/user1
invokedBy: cloudformation.amazonaws.com
principalId: ABCDEFGH
sessionContext:
attributes:
creationDate: "2022-09-27T17:08:35Z"
mfaAuthenticated: "false"
sessionIssuer: {}
webIdFederationData: {}
type: IAMUser
userName: user1
Name: user1 create keys for user1
- ExpectedResult: true
Log:
awsRegion: us-east-1
eventCategory: Management
eventID: "12345"
eventName: CreateAccessKey
eventSource: iam.amazonaws.com
eventTime: "2022-09-27 17:09:18"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: true
readOnly: false
recipientAccountId: "123456789"
requestParameters:
userName: user2
responseElements:
accessKey:
accessKeyId: ABCDEFG
createDate: Sep 27, 2022 5:09:18 PM
status: Active
userName: user2
sourceIPAddress: cloudformation.amazonaws.com
userAgent: cloudformation.amazonaws.com
userIdentity:
accessKeyId: ABCDEFGH
accountId: "123456789"
arn: arn:aws:iam::123456789:user/user1
invokedBy: cloudformation.amazonaws.com
principalId: ABCDEFGH
sessionContext:
attributes:
creationDate: "2022-09-27T17:08:35Z"
mfaAuthenticated: "false"
sessionIssuer: {}
webIdFederationData: {}
type: IAMUser
userName: user1
Name: user1 create keys for user2
- ExpectedResult: true
Log:
awsRegion: us-east-1
eventCategory: Management
eventID: "12345"
eventName: CreateAccessKey
eventSource: iam.amazonaws.com
eventTime: "2022-09-27 17:09:18"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: true
readOnly: false
recipientAccountId: "123456789"
requestParameters:
userName: jack
responseElements:
accessKey:
accessKeyId: ABCDEFG
createDate: Sep 27, 2022 5:09:18 PM
status: Active
userName: jack
sourceIPAddress: cloudformation.amazonaws.com
userAgent: cloudformation.amazonaws.com
userIdentity:
accessKeyId: ABCDEFGH
accountId: "123456789"
arn: arn:aws:iam::123456789:user/jackson
invokedBy: cloudformation.amazonaws.com
principalId: ABCDEFGH
sessionContext:
attributes:
creationDate: "2022-09-27T17:08:35Z"
mfaAuthenticated: "false"
sessionIssuer: {}
webIdFederationData: {}
type: IAMUser
userName: user1
Name: jackson create keys for jack
- ExpectedResult: true
Log:
awsRegion: us-east-1
eventCategory: Management
eventID: "12345"
eventName: CreateAccessKey
eventSource: iam.amazonaws.com
eventTime: "2022-09-27 17:09:18"
eventType: AwsApiCall
eventVersion: "1.08"
managementEvent: true
readOnly: false
recipientAccountId: "123456789"
requestParameters:
userName: jackson
responseElements:
accessKey:
accessKeyId: ABCDEFG
createDate: Sep 27, 2022 5:09:18 PM
status: Active
userName: jackson
sourceIPAddress: cloudformation.amazonaws.com
userAgent: cloudformation.amazonaws.com
userIdentity:
accessKeyId: ABCDEFGH
accountId: "123456789"
arn: arn:aws:iam::123456789:user/jack
invokedBy: cloudformation.amazonaws.com
principalId: ABCDEFGH
sessionContext:
attributes:
creationDate: "2022-09-27T17:08:35Z"
mfaAuthenticated: "false"
sessionIssuer: {}
webIdFederationData: {}
type: IAMUser
userName: user1
Name: jack create keys for jackson
- ExpectedResult: false
Name: CreateKey returns error code
Log:
{
"awsRegion": "us-east-1",
"errorCode": "LimitExceededException",
"errorMessage": "Cannot exceed quota for AccessKeysPerUser: 2",
"eventCategory": "Management",
"eventID": "efffffff-bbbb-4444-bbbb-ffffffffffff",
"eventName": "CreateAccessKey",
"eventSource": "iam.amazonaws.com",
"eventTime": "2023-01-03 01:52:07.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"readOnly": false,
"recipientAccountId": "123456789012",
"requestID": "84eeeeee-eeee-eeee-eeee-eeeeeeeeeeee",
"sourceIPAddress": "12.12.12.12",
"tlsDetails":
{
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com",
"tlsVersion": "TLSv1.2",
},
"userAgent": "aws-sdk-go-v2/1.14.0 os/macos lang/go/1.17.6 md/GOOS/darwin md/GOARCH/arm64 api/iam/1.17.0",
"userIdentity":
{
"accessKeyId": "ASIA5ZXAKGI33TI7QQGW",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:user/some_iam_user",
"principalId": "AIDA55555555555555555",
"sessionContext":
{
"attributes":
{
"creationDate": "2023-01-03T01:52:07Z",
"mfaAuthenticated": "true",
},
"sessionIssuer": {},
"webIdFederationData": {},
},
"type": "IAMUser",
"userName": "some_iam_user",
},
}
DedupPeriodMinutes: 60
LogTypes:
- AWS.CloudTrail
RuleID: "AWS.IAM.Backdoor.User.Keys"
Threshold: 1
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null)
eventSource eq "iam.amazonaws.com"
eventName eq "CreateAccessKey"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
eventSource | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
eventName | |
eventSource | |
awsRegion | |
recipientAccountId | |
sourceIPAddress | |
userAgent | |
userIdentity | |
arn | userIdentity.arn |
userName | responseElements.accessKey.userName |