{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1070/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Simple Email Service"],"_cs_severities":["medium"],"_cs_tags":["attack.stealth","attack.t1070","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of the \u0026ldquo;DeleteIdentity\u0026rdquo; event within AWS Simple Email Service (SES) logs. An adversary who has gained unauthorized access to an AWS environment and utilized SES for malicious purposes, such as sending phishing emails or distributing malware, might attempt to erase their activity by deleting the SES identity (email address or domain) used in the attack. This action is a form of obfuscation and aims to hinder forensic investigations. While legitimate users may occasionally delete SES identities, the event warrants scrutiny, especially in the context of other suspicious cloud activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker explores the AWS environment, identifying SES as a service to abuse for sending malicious emails.\u003c/li\u003e\n\u003cli\u003eThe attacker configures SES, verifies an email address or domain, and establishes sending capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and sends phishing emails or emails containing malicious attachments to external targets.\u003c/li\u003e\n\u003cli\u003eAfter the malicious campaign, the attacker attempts to cover their tracks by deleting the SES identity to remove evidence of their activity.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u0026ldquo;DeleteIdentity\u0026rdquo; API call within SES, specifying the identity to be removed.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs record the \u0026ldquo;DeleteIdentity\u0026rdquo; event, capturing details such as the event source, event name, and user identity.\u003c/li\u003e\n\u003cli\u003eThe attacker may further attempt to delete or modify other CloudTrail logs to eliminate the traces of their actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deletion of an SES identity hinders incident response and forensic investigations. If an attacker successfully removes the SES identity, it becomes more difficult to trace the origin of malicious emails and attribute the activity to a specific actor. The deletion itself does not directly cause harm, but it obstructs the ability to understand the full scope and impact of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule (\u003ccode\u003eSES Identity Has Been Deleted\u003c/code\u003e) to detect SES identity deletion events within your CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003eDeleteIdentity\u003c/code\u003e events, correlating them with other suspicious AWS activity, such as unusual IAM role usage or unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eEnable and monitor AWS CloudTrail logs for all regions within your AWS account to ensure comprehensive event capture.\u003c/li\u003e\n\u003cli\u003eImplement strong IAM policies and multi-factor authentication (MFA) to prevent unauthorized access to AWS accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-ses-identity-deleted/","summary":"Detection of an AWS Simple Email Service (SES) identity deletion event, potentially indicating an adversary attempting to cover their tracks after malicious activity.","title":"AWS SES Identity Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-ses-identity-deleted/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1070","version":"https://jsonfeed.org/version/1.1"}