diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md index 60c2495f..ffcc8314 100755 --- a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md +++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md @@ -28,6 +28,9 @@ Establishes persistence by creating an access key on an existing IAM user. - Create an IAM access key on the user. +References: +- https://sysdig.com/blog/scarleteel-2-0/ + ## Instructions diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go index 774b60dc..ee78912d 100644 --- a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go +++ b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go @@ -26,12 +26,16 @@ Warm-up: Detonation: - Create an IAM access key on the user. + +References: +- https://sysdig.com/blog/scarleteel-2-0/ `, Detection: ` Through CloudTrail's CreateAccessKey event. This event can hardly be considered suspicious by itself, unless correlated with other indicators. '`, Platform: stratus.AWS, + IsIdempotent: false, // iam:CreateAccessKey can only be called twice (limit of 2 access keys per user) MitreAttackTactics: []mitreattack.Tactic{mitreattack.Persistence, mitreattack.PrivilegeEscalation}, PrerequisitesTerraformCode: tf,