Potential AWS Cloud Email Service Abuse

Apr 21, 2023 · attack.t1583.006 attack.resource_development ·

Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession

Sigma rule (View on GitHub)

 1title: Potential AWS Cloud Email Service Abuse
 2id: 60b84424-a724-4502-bd0d-cc676e1bc90e
 3status: unsupported
 4description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
 5references:
 6    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 7author: Janantha Marasinghe
 8date: 2022/12/12
 9modified: 2023/03/24
10tags:
11    - attack.t1583.006
12    - attack.resource_development
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection1:
18        eventSource: 'ses.amazonaws.com'
19        eventName: 'UpdateAccountSendingEnabled'
20    selection2:
21        eventSource: 'ses.amazonaws.com'
22        eventName: 'VerifyEmailIdentity'
23    timeframe: 5m
24    condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events
25falsepositives:
26    - Legitimate SES configuration activity
27level: medium

References

Compromised Cloud Compute Credentials: Case Studies From the Wild

A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.

Read More

Potential AWS Cloud Email Service Abuse

Sigma rule (View on GitHub)

References

Compromised Cloud Compute Credentials: Case Studies From the Wild