Potential AWS Cloud Email Service Abuse
Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
Sigma rule (View on GitHub)
1title: Potential AWS Cloud Email Service Abuse
2id: 60b84424-a724-4502-bd0d-cc676e1bc90e
3status: unsupported
4description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
5references:
6 - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
7author: Janantha Marasinghe
8date: 2022/12/12
9modified: 2023/03/24
10tags:
11 - attack.t1583.006
12 - attack.resource_development
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection1:
18 eventSource: 'ses.amazonaws.com'
19 eventName: 'UpdateAccountSendingEnabled'
20 selection2:
21 eventSource: 'ses.amazonaws.com'
22 eventName: 'VerifyEmailIdentity'
23 timeframe: 5m
24 condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events
25falsepositives:
26 - Legitimate SES configuration activity
27level: medium
References
-
A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.
Read More
Related rules
- Renamed SysInternals DebugView Execution
- HackTool - PurpleSharp Execution
- Program Executions in Suspicious Folders
- ProxyLogon MSExchange OabVirtualDirectory
- Relevant ClamAV Message