{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/simple-queue-service/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple Queue Service"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","sqs","defense-evasion","impact"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis alert detects the purging of an AWS Simple Queue Service (SQS) queue. AWS SQS is a managed message queuing service commonly used to decouple services and buffer events across distributed and serverless architectures. Adversaries may abuse the \u003ccode\u003ePurgeQueue\u003c/code\u003e action to remove messages, potentially disrupting application workflows, destroying operational data, or impairing security monitoring and alerting by deleting audit and security events. Defenders should investigate unexpected \u003ccode\u003ePurgeQueue\u003c/code\u003e events, especially in production environments, to determine whether the action aligns with documented procedures and expected operational behavior. The rule focuses on successful \u003ccode\u003ePurgeQueue\u003c/code\u003e events within AWS CloudTrail logs and should be deployed to monitor critical SQS queues.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an AWS account through compromised credentials or a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies SQS queues that contain valuable operational or security-related data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eaws sqs purge-queue\u003c/code\u003e command or AWS API to purge the targeted queue.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePurgeQueue\u003c/code\u003e API call is logged as a \u003ccode\u003ePurgeQueue\u003c/code\u003e event in AWS CloudTrail.\u003c/li\u003e\n\u003cli\u003eAll messages within the targeted SQS queue are permanently deleted.\u003c/li\u003e\n\u003cli\u003eDownstream systems that rely on messages from the purged queue experience disruption or data loss.\u003c/li\u003e\n\u003cli\u003eSecurity monitoring systems that ingest logs from the purged queue miss critical security events.\u003c/li\u003e\n\u003cli\u003eThe attacker further exploits the environment, potentially performing data exfiltration or other malicious activities, with reduced visibility due to the purged logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful purging of an SQS queue can lead to significant disruption of application workflows and data loss. If the queue contains security-related logs, it can impair monitoring and alerting capabilities, allowing adversaries to operate with reduced visibility. The impact can range from temporary service interruptions to the permanent loss of critical operational data, depending on the purpose and content of the purged queue. This activity could affect a wide range of sectors using AWS SQS, including e-commerce, finance, and healthcare.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS SQS Queue Purge Detected\u0026quot; to your SIEM and tune it for your environment to detect unauthorized queue purges in near real-time.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaccess_key_id\u003c/code\u003e in CloudTrail logs to determine the identity that initiated the \u003ccode\u003ePurgeQueue\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eReinforce least-privilege IAM policies to limit which identities can perform the \u003ccode\u003ePurgeQueue\u003c/code\u003e action, as outlined in the AWS Knowledge Center – Security Best Practices.\u003c/li\u003e\n\u003cli\u003eEnhance monitoring and alerting for destructive SQS actions, especially in production environments, using CloudTrail and CloudWatch.\u003c/li\u003e\n\u003cli\u003eInvestigate events where \u003ccode\u003eevent.action\u003c/code\u003e is \u003ccode\u003ePurgeQueue\u003c/code\u003e and \u003ccode\u003eevent.outcome\u003c/code\u003e is \u003ccode\u003esuccess\u003c/code\u003e in AWS CloudTrail logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-sqs-queue-purge/","summary":"Detection of AWS Simple Queue Service (SQS) queue purging, which adversaries may leverage to disrupt application workflows, destroy operational data, or impair monitoring and alerting systems by removing critical evidence of malicious activity.","title":"AWS SQS Queue Purge Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-sqs-queue-purge/"}],"language":"en","title":"CraftedSignal Threat Feed - Simple Queue Service","version":"https://jsonfeed.org/version/1.1"}