AWS AddRoleToInstanceProfile
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
The adversary is trying to hide and conceal their actions, appearing as normal behavior.
Stealth consists of techniques that reduce the likelihood of detection by blending in with legitimate activity or minimizing observable signals. These techniques are characterized by concealment behaviors, such as avoiding, obfuscating, or mimicking normal operations, without modifying security controls or compromising collection and monitoring feeds. The goal is to remain indistinguishable from benign activity while leaving defensive systems intact.
In cloud environments, stealth looks like operating with valid credentials and sessions that blend into routine API activity, removing attacker-created artifacts such as service account keys to erase evidence of access, and running workloads in unused or unsupported regions where monitoring may not be deployed.
Stealth was introduced in ATT&CK v19 (April 2026), when the former Defense Evasion tactic was split into Stealth and Defense Impairment. Stealth keeps the TA0005 tactic ID.
View Stealth on MITRE ATT&CK →Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role's permissions.
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
Records a sign-in attempt to the AWS Management Console, capturing success or failure status and whether MFA was used.
Enables a previously disabled AWS region for the account, making its services available for use.
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation. This is the admin activity audit log format; see also iam.serviceAccounts.getAccessToken for the data access format.
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.
Deletes a service account key, potentially removing evidence of attacker-created credentials.
Records a token exchange where a service account implicitly delegates its authority to another identity.
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
Global Admin elevates to User Access Administrator at root scope, granting control over all Azure subscriptions.
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
Records a request to recover or reset the AWS account root user password via the password reset process.
Replaces the IAM instance profile associated with a running EC2 instance with a different one.