CreateSAMLProvider
Event
Registers a SAML 2.0 identity provider metadata document with IAM, enabling federated authentication via SAML.
Security Context
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1556 — Modify Authentication Process — Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SA...
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.