{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/resource-development/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple Notification Service"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","sns","resource-development","impact"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies when an AWS Simple Notification Service (SNS) topic is created by a user or role that doesn't typically perform this action. Adversaries might create SNS topics to stage capabilities for data exfiltration, lateral movement, or other malicious activities within the AWS environment. This detection leverages a \u0026quot;New Terms\u0026quot; rule, specifically designed to flag the initial occurrence of this behavior for a given user or role within an AWS account. The rule focuses on identifying anomalous SNS topic creation events, providing an early warning signal for potentially malicious activity related to resource development within AWS. It is triggered by the \u003ccode\u003eCreateTopic\u003c/code\u003e event in AWS CloudTrail logs, ensuring comprehensive coverage of SNS topic creation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role. (T1566)\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new SNS topic using the AWS CLI, SDK, or Console. The \u003ccode\u003eCreateTopic\u003c/code\u003e API call is made.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCreateTopic\u003c/code\u003e request includes parameters such as the topic name, display name, and other attributes related to the SNS topic configuration.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eCreateTopic\u003c/code\u003e event, capturing details such as the user identity (ARN, type, access key ID), source IP, user agent, and request parameters.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;New Terms\u0026quot; rule analyzes the CloudTrail logs and identifies that the user or role creating the SNS topic has not previously performed this action within the observed timeframe.\u003c/li\u003e\n\u003cli\u003eThe newly created SNS topic can be used by the attacker to subscribe to events and receive notifications about activities within the AWS environment. (T1496)\u003c/li\u003e\n\u003cli\u003eThe attacker can then configure the SNS topic to trigger Lambda functions or S3 events, which allows persistence in the environment.\u003c/li\u003e\n\u003cli\u003eUltimately, the adversary may use the SNS topic for data exfiltration, lateral movement, or other malicious purposes, leveraging the messaging capabilities of SNS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to stage capabilities within the AWS environment. While creating an SNS topic is not inherently malicious, it can be a precursor to more serious attacks. Depending on the subsequent actions taken by the attacker, this could lead to data exfiltration, resource hijacking, or other forms of impact within the AWS infrastructure. The severity depends on the scope of access available to the compromised user or role and the configurations of the newly created SNS topic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect unusual SNS topic creation activities (see rule: \u0026quot;AWS SNS Topic Created by Rare User\u0026quot;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and request parameters associated with the SNS topic creation event.\u003c/li\u003e\n\u003cli\u003eMonitor for further SNS modifications, such as Publish or Subscribe events, following the initial topic creation event (see Overview).\u003c/li\u003e\n\u003cli\u003eEnforce least privilege IAM policies and enable multi-factor authentication (MFA) to reduce the risk of unauthorized access to AWS resources (see Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/","summary":"An AWS SNS topic was created by a user who does not typically perform this action, potentially indicating resource development for data exfiltration or other malicious activities.","title":"AWS SNS Topic Created by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Route 53"],"_cs_severities":["high"],"_cs_tags":["aws","route53","domain-transfer","persistence","resource-development"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief addresses the unauthorized transfer of an AWS Route 53 domain to another AWS account. Route 53 is a scalable DNS web service, and control over a domain allows an attacker to modify DNS records, reroute traffic, and request certificates. The adversary could gain control by compromising an IAM user or leveraging long-lived credentials. Such a transfer can lead to persistence, traffic redirection, phishing attacks, or the staging of infrastructure for more extensive malicious operations. This activity is detected via CloudTrail logs when the \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e event is successfully invoked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account through compromised credentials or IAM role exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target domain within the Route 53 service.\u003c/li\u003e\n\u003cli\u003eThe attacker may disable the domain transfer lock using \u003ccode\u003eDisableDomainTransferLock\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a domain transfer to an AWS account under their control using the \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe transfer is successful, granting the attacker administrative control over the domain's DNS records.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies DNS records to redirect traffic to malicious servers they control.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up phishing sites or redirects legitimate traffic to a command-and-control infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Route 53 domain transfer enables an attacker to fully manage the domain's DNS resources, potentially leading to traffic redirection, service outages, or domain hijacking for phishing or command-and-control. While the exact number of victims and sectors targeted is unknown, unauthorized domain transfers can severely impact any organization relying on AWS for DNS services. This could disrupt service availability, compromise sensitive data through phishing, or enable persistent access to internal networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Route 53 Domain Transferred to Another Account\u003c/code\u003e to detect successful \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e events in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eDisableDomainTransferLock\u003c/code\u003e events followed by \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e as it indicates a possible domain transfer preparation.\u003c/li\u003e\n\u003cli\u003eRestrict domain transfer permissions to a minimal set of roles using IAM Conditions such as \u003ccode\u003eaws:PrincipalArn\u003c/code\u003e and \u003ccode\u003eaws:MultiFactorAuthPresent\u003c/code\u003e as recommended in the \u003ca href=\"https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/\"\u003eAWS Knowledge Center – Security Best Practices\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement change-management tracking for domain ownership modifications, correlating with approved internal requests as noted in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/","summary":"An AWS Route 53 domain was transferred to another AWS account, potentially leading to unauthorized control over DNS records and traffic redirection for malicious purposes, such as phishing or establishing persistence.","title":"AWS Route 53 Domain Transferred to Another Account","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/"}],"language":"en","title":"CraftedSignal Threat Feed - Resource-Development","version":"https://jsonfeed.org/version/1.1"}