Live Demo: AWS Persistence Through IAM Abuse In this Threat Thursday, we will explore how threat actors can establish persistent access within an AWS environment by abusing existing authentication. This scenario assumes an adversary has compromised a machine where an authorized user is already logged into AWS and has access to the command-line interface. The attack begins with an enumeration phase, where the adversary checks if they have valid AWS credentials and the necessary permissions to proceed. If the session lacks proper authentication or sufficient privileges, the attack is halted. However, if access is confirmed, the next step is persistence, where the adversary creates a new IAM user, effectively setting up a backdoor account. To solidify control, the attacker then grants administrative privileges to the new user by attaching high-level permissions. This ensures they can maintain access even if the original compromised account is detected and removed. 🎙️ New to streaming or looking to level up? Check out StreamYard and get $10 discount! 😍 https://streamyard.com/pal/d/5426359667392512