{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-simple-notification-service/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Simple Notification Service"],"_cs_severities":["medium"],"_cs_tags":["aws","sns","lateral-movement","exfiltration","impact"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection rule identifies when a user or role publishes a message to an Amazon Simple Notification Service (SNS) topic for the first time. Attackers may abuse SNS topics for various malicious purposes, including internal spearphishing, data exfiltration, or lateral movement within the AWS environment. SNS topics are used to send notifications and messages to subscribed endpoints such as applications, mobile devices, or email addresses. A successful attack could lead to sensitive data being exposed or malicious content being distributed to a wide range of recipients. This rule leverages a \u0026quot;new terms\u0026quot; approach, focusing on identifying previously unseen behavior to surface potentially suspicious activity. It helps security teams detect unusual SNS activity and investigate potential security breaches in AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment, potentially through compromised credentials or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers accessible SNS topics within the AWS environment using AWS CLI or SDKs.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an SNS topic with a broad subscription base, such as one connected to an internal communications channel.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes a malicious message to the SNS topic using the AWS CLI, SDK, or AWS Management Console, utilizing a rare or new user account.\u003c/li\u003e\n\u003cli\u003eThe SNS service delivers the message to all subscribed endpoints, including applications, mobile devices, or email addresses.\u003c/li\u003e\n\u003cli\u003eRecipients of the malicious message may be tricked into clicking on a phishing link or downloading malicious content, leading to further compromise of their systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the compromised systems for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves impact by spreading malware, stealing sensitive information, or disrupting business operations through the compromised systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting SNS topics can lead to several negative consequences. Internal spearphishing attacks could compromise employees and sensitive data. Data exfiltration through SNS messages may lead to regulatory violations and reputational damage. Resource hijacking could allow attackers to leverage AWS resources for malicious purposes, increasing costs and potentially disrupting services. Organizations in any sector that rely on AWS for their infrastructure are vulnerable, and the number of potential victims depends on the scope and reach of the SNS topic subscriptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for SNS data events to ensure the necessary logs are captured (reference: setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect rare users publishing SNS messages (reference: rules section). Tune the \u003ccode\u003ehistory_window_start\u003c/code\u003e parameter in the rule to match your environment's baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e to identify the actor and SNS topic involved (reference: rule.investigation_fields).\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with users and roles publishing to SNS topics to ensure appropriate permissions are enforced and minimize potential misuse (reference: T1534, T1496).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual API calls related to SNS, such as \u003ccode\u003eAssumeRole\u003c/code\u003e or \u003ccode\u003eCreateAccessKey\u003c/code\u003e, associated with the rare user (reference: T1102).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-sns-rare-user/","summary":"This rule identifies when an SNS topic message is published by a rare user in AWS, which may indicate lateral movement, data exfiltration, or phishing campaigns, potentially leading to resource hijacking and impact on cloud services.","title":"AWS SNS Topic Message Publish by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-sns-rare-user/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon Simple Notification Service","version":"https://jsonfeed.org/version/1.1"}