SES Identity Has Been Deleted
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
Sigma rule (View on GitHub)
1title: SES Identity Has Been Deleted
2id: 20f754db-d025-4a8f-9d74-e0037e999a9a
3status: test
4description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
5references:
6 - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
7author: Janantha Marasinghe
8date: 2022/12/13
9modified: 2022/12/28
10tags:
11 - attack.defense_evasion
12 - attack.t1070
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventSource: 'ses.amazonaws.com'
19 eventName: 'DeleteIdentity'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
-
A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.
Read More
Related rules
- Exchange PowerShell Cmdlet History Deleted
- Disable of ETW Trace
- Disable of ETW Trace - Powershell
- DLL Load By System Process From Suspicious Locations
- Fsutil Suspicious Invocation