Detection rules › Panther
New IAM Credentials Updated
A console password, access key, or user has been created.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- ASL AWS Create Access Key (Splunk)
- AWS CreateAccessKey (Splunk)
- AWS CreateLoginProfile (Splunk)
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity (Elastic)
- AWSCloudTrail - Creation of Access Key for IAM User (Kusto)
- IAM Entity Created Without CloudFormation (Panther)
- IAM User Created (Panther)
- Root Account Access Key Created (Panther)
Rule body yaml
AnalysisType: rule
Filename: aws_update_credentials.py
RuleID: "AWS.IAM.CredentialsUpdated"
DisplayName: "New IAM Credentials Updated"
Enabled: true
LogTypes:
- AWS.CloudTrail
Reports:
MITRE ATT&CK:
- TA0003:T1098
Stratus Red Team:
- aws.persistence.iam-backdoor-user
- aws.persistence.iam-create-admin-user
- aws.persistence.iam-create-user-login-profile
Tags:
- AWS
- Identity & Access Management
- Persistence:Account Manipulation
Severity: Info
Description: A console password, access key, or user has been created.
Runbook: This rule is purely informational, there is no action needed.
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html
SummaryAttributes:
- eventName
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: User Password Was Changed
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "AAAAIIIIIIU74NPJW5K76",
"arn": "arn:aws:iam::123456789012:user/test_user",
"accountId": "123456789012",
"accessKeyId": "AAAAIIIIIIU74NPJW5K76",
"userName": "test_user",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-12-31T01:50:17Z",
},
},
"invokedBy": "signin.amazonaws.com",
},
"eventTime": "2019-12-31T01:50:46Z",
"eventSource": "iam.amazonaws.com",
"eventName": "ChangePassword",
"awsRegion": "us-east-1",
"sourceIPAddress": "64.25.27.224",
"userAgent": "signin.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"requestID": "a431f05e-67e1-11ea-bc55-0242ac130003",
"eventID": "a431f05e-67e1-11ea-bc55-0242ac130003",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: MFA Device Was Created
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "IAMUser",
"principalId": "AAAAIIIIIIU74NPJW5K76",
"arn": "arn:aws:iam::123456789012:user/test_user",
"accountId": "123456789012",
"accessKeyId": "AAAAIIIIIIU74NPJW5K76",
"userName": "test_user",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-12-31T01:50:17Z",
},
},
"invokedBy": "signin.amazonaws.com",
},
"eventTime": "2019-12-31T01:50:46Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateVirtualMFADevice",
"awsRegion": "us-east-1",
"sourceIPAddress": "64.25.27.224",
"userAgent": "signin.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"requestID": "a431f05e-67e1-11ea-bc55-0242ac130003",
"eventID": "a431f05e-67e1-11ea-bc55-0242ac130003",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: User Password Change Error
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"errorCode": "PasswordPolicyViolation",
"userIdentity":
{
"type": "IAMUser",
"principalId": "AAAAIIIIIIU74NPJW5K76",
"arn": "arn:aws:iam::123456789012:user/test_user",
"accountId": "123456789012",
"accessKeyId": "AAAAIIIIIIU74NPJW5K76",
"userName": "test_user",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-12-31T01:50:17Z",
},
},
"invokedBy": "signin.amazonaws.com",
},
"eventTime": "2019-12-31T01:50:46Z",
"eventSource": "iam.amazonaws.com",
"eventName": "ChangePassword",
"awsRegion": "us-east-1",
"sourceIPAddress": "64.25.27.224",
"userAgent": "signin.amazonaws.com",
"requestParameters": null,
"responseElements": null,
"requestID": "a431f05e-67e1-11ea-bc55-0242ac130003",
"eventID": "a431f05e-67e1-11ea-bc55-0242ac130003",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
Detection logic
Condition
eventName in ["ChangePassword", "CreateAccessKey", "CreateLoginProfile", "CreateUser"]
not (errorCode is_not_null or errorMessage is_not_null)
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
eventName | |
eventSource | |
awsRegion | |
recipientAccountId | |
sourceIPAddress | |
userAgent | |
userIdentity | |
type | userIdentity.type |
arn | userIdentity.arn |