Skip to content

Commit

Permalink
Add references to aws.persistence.iam-create-admin-user
Browse files Browse the repository at this point in the history
  • Loading branch information
@christophetd
christophetd committed Feb 28, 2023
1 parent eb63922 commit 370a454
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions v2/internal/attacktechniques/aws/persistence/iam-create-admin-user/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@ Warm-up: None.
Detonation:
- Create the IAM user and attach the 'AdministratorAccess' managed IAM policy to it.
References:
- https://permiso.io/blog/s/approach-to-detection-androxgh0st-greenbot-persistence/
- https://blog.darklab.hk/2021/07/06/trouble-in-paradise/
- https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/
`,
Detection: `
Through CloudTrail's <code>CreateUser</code>, <code>AttachUserPolicy</code> and <code>CreateAccessKey</code> events.
Expand Down

0 comments on commit 370a454

Please sign in to comment.