Skip to main content

The account password policy was changed in a suspicious way

ID:aws_password_policy_change_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0005:T1484

Description

AlphaSOC has detected a password policy change that may indicate an attempt to weaken security controls. This detection is particularly concerning if it involves a new autonomous system number (ASN), a new user agent, or the DeleteAccountPasswordPolicy action. Such changes may be part of an adversary's effort to gain easier access to compromised accounts.

Impact

Changes to password policies can significantly weaken an organization's security. Threat actors can exploit these changes to create weaker passwords, or remove account lockout policies. This can lead to easier unauthorized access and potential data breaches.

Severity

SeverityCondition
Informational
Password policy change detected
Low
Unexpected ASN, user agent or use of the DeleteAccountPasswordPolicy action
Medium
Multiple conditions occur simultaneously

Investigation and Remediation

Investigate the details of the policy change, including who made the change and from where. Review logs for any suspicious activities. If the change was unauthorized, revert the password policy change and enforce password resets.

Known False Positives

  • Legitimate administrative action to update password policies

Further Reading