Data Source: AWS SNS

AWS SNS Email Subscription by Rare User

Feb 20, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SNS Resources: Investigation Guide Use Case: Threat Detection Tactic: Exfiltration ·

Share on:

Identifies when an SNS topic is subscribed to by an email address of a user who does not typically perform this action. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address.

AWS SNS Topic Created by Rare User

Feb 20, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SNS Resources: Investigation Guide Use Case: Threat Detection Tactic: Resource Development ·

Share on:

Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities.

SNS Topic Message Publish by Rare User

Jan 15, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SNS Use Case: Threat Detection Resources: Investigation Guide Tactic: Lateral Movement Tactic: Exfiltration ·

Share on:

Identifies when an SNS topic message is published by a rare user in AWS. Adversaries may publish messages to SNS topics for phishing campaigns, data exfiltration, or lateral movement within the AWS environment. SNS topics are used to send notifications and messages to subscribed endpoints such as applications, devices or email addresses, making them a valuable target for adversaries to distribute malicious content or exfiltrate sensitive data. This is a New Terms rule that only flags when this behavior is observed for the first time on a user in the last 14 days.