{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/simple-notification-service/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple Notification Service"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","sns","exfiltration"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies when a user subscribes to an Amazon Simple Notification Service (SNS) topic using a protocol type that is new for that user. SNS allows subscriptions via various protocols, including email, SMS, Lambda functions, and HTTP endpoints. An adversary might exploit this feature to collect sensitive information or exfiltrate data by subscribing with an external email address, a cross-account AWS service, or other means. This \u0026quot;new terms\u0026quot; rule specifically triggers when a previously unseen protocol is used for a subscription by a given user, helping to surface potentially malicious or anomalous activity within an AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an SNS topic containing sensitive data or acting as a conduit for valuable information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to subscribe to the targeted SNS topic.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a rare or unusual protocol for the subscription, such as an external email address, an HTTP endpoint on a rogue server, or a Lambda function under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the subscription to forward messages from the SNS topic to the chosen endpoint.\u003c/li\u003e\n\u003cli\u003eWhen messages are published to the SNS topic, they are automatically delivered to the attacker-controlled endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data via the chosen protocol.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting CloudTrail logs or creating new subscriptions and deleting the original.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, unauthorized access to internal systems, or resource hijacking within the AWS environment. The severity depends on the sensitivity of the data transmitted through the SNS topic and the permissions associated with the compromised AWS account. This could result in financial loss, reputational damage, or legal repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;AWS SNS Rare Protocol Subscription by User\u0026quot; rule to your SIEM and tune the \u003ccode\u003ehistory_window_start\u003c/code\u003e to reduce false positives based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026quot;AWS SNS Rare Protocol Subscription by User\u0026quot; rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e fields to determine the actor and the protocol used.\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with users who trigger this alert to ensure the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for subsequent \u003ccode\u003ePublish\u003c/code\u003e actions on the same SNS topic to detect potential data exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eConfigure alerts for any unauthorized modifications to SNS topic policies or subscriptions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-22T12:00:00Z","date_published":"2024-11-22T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-aws-sns-rare-protocol/","summary":"A user subscribing to an SNS topic using a new protocol may indicate data exfiltration or unauthorized access by an adversary aiming to collect sensitive information or exfiltrate data.","title":"AWS SNS Rare Protocol Subscription by User","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-sns-rare-protocol/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple Notification Service"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","sns","resource-development","impact"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies when an AWS Simple Notification Service (SNS) topic is created by a user or role that doesn't typically perform this action. Adversaries might create SNS topics to stage capabilities for data exfiltration, lateral movement, or other malicious activities within the AWS environment. This detection leverages a \u0026quot;New Terms\u0026quot; rule, specifically designed to flag the initial occurrence of this behavior for a given user or role within an AWS account. The rule focuses on identifying anomalous SNS topic creation events, providing an early warning signal for potentially malicious activity related to resource development within AWS. It is triggered by the \u003ccode\u003eCreateTopic\u003c/code\u003e event in AWS CloudTrail logs, ensuring comprehensive coverage of SNS topic creation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role. (T1566)\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new SNS topic using the AWS CLI, SDK, or Console. The \u003ccode\u003eCreateTopic\u003c/code\u003e API call is made.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCreateTopic\u003c/code\u003e request includes parameters such as the topic name, display name, and other attributes related to the SNS topic configuration.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eCreateTopic\u003c/code\u003e event, capturing details such as the user identity (ARN, type, access key ID), source IP, user agent, and request parameters.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;New Terms\u0026quot; rule analyzes the CloudTrail logs and identifies that the user or role creating the SNS topic has not previously performed this action within the observed timeframe.\u003c/li\u003e\n\u003cli\u003eThe newly created SNS topic can be used by the attacker to subscribe to events and receive notifications about activities within the AWS environment. (T1496)\u003c/li\u003e\n\u003cli\u003eThe attacker can then configure the SNS topic to trigger Lambda functions or S3 events, which allows persistence in the environment.\u003c/li\u003e\n\u003cli\u003eUltimately, the adversary may use the SNS topic for data exfiltration, lateral movement, or other malicious purposes, leveraging the messaging capabilities of SNS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to stage capabilities within the AWS environment. While creating an SNS topic is not inherently malicious, it can be a precursor to more serious attacks. Depending on the subsequent actions taken by the attacker, this could lead to data exfiltration, resource hijacking, or other forms of impact within the AWS infrastructure. The severity depends on the scope of access available to the compromised user or role and the configurations of the newly created SNS topic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect unusual SNS topic creation activities (see rule: \u0026quot;AWS SNS Topic Created by Rare User\u0026quot;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and request parameters associated with the SNS topic creation event.\u003c/li\u003e\n\u003cli\u003eMonitor for further SNS modifications, such as Publish or Subscribe events, following the initial topic creation event (see Overview).\u003c/li\u003e\n\u003cli\u003eEnforce least privilege IAM policies and enable multi-factor authentication (MFA) to reduce the risk of unauthorized access to AWS resources (see Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/","summary":"An AWS SNS topic was created by a user who does not typically perform this action, potentially indicating resource development for data exfiltration or other malicious activities.","title":"AWS SNS Topic Created by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/"}],"language":"en","title":"CraftedSignal Threat Feed - Simple Notification Service","version":"https://jsonfeed.org/version/1.1"}