AWS IAM user with a known malicious name
Description
AlphaSOC detected the creation of an AWS IAM user with a name matching patterns associated with known threat actor tools, campaigns, or attack frameworks. Creating IAM users with recognizable such names may indicate an attack attempt.
Impact
This action may suggest a compromise with your AWS environment. If the user is assigned access keys, those credentials can be used indefinitely until explicitly revoked. An attacker with a persistent IAM user may exfiltrate data, pivot to other services, or maintain long-term access to cloud infrastructure.
Severity
| Severity | Condition |
|---|---|
Medium | IAM user created with a known malicious name pattern |
Investigation and Remediation
Review AWS CloudTrail logs to identify the identity that created the IAM user and the permissions granted. Immediately disable and delete the malicious user account. Inspect CloudTrail for any API actions performed by this user since creation. Rotate credentials for the account used to create it and audit IAM policies for excessive privilege.