{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sns/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple Notification Service"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","sns","exfiltration"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies when a user subscribes to an Amazon Simple Notification Service (SNS) topic using a protocol type that is new for that user. SNS allows subscriptions via various protocols, including email, SMS, Lambda functions, and HTTP endpoints. An adversary might exploit this feature to collect sensitive information or exfiltrate data by subscribing with an external email address, a cross-account AWS service, or other means. This \u0026quot;new terms\u0026quot; rule specifically triggers when a previously unseen protocol is used for a subscription by a given user, helping to surface potentially malicious or anomalous activity within an AWS environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an SNS topic containing sensitive data or acting as a conduit for valuable information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to subscribe to the targeted SNS topic.\u003c/li\u003e\n\u003cli\u003eThe attacker selects a rare or unusual protocol for the subscription, such as an external email address, an HTTP endpoint on a rogue server, or a Lambda function under their control.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the subscription to forward messages from the SNS topic to the chosen endpoint.\u003c/li\u003e\n\u003cli\u003eWhen messages are published to the SNS topic, they are automatically delivered to the attacker-controlled endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the exfiltrated data via the chosen protocol.\u003c/li\u003e\n\u003cli\u003eThe attacker covers their tracks by deleting CloudTrail logs or creating new subscriptions and deleting the original.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, unauthorized access to internal systems, or resource hijacking within the AWS environment. The severity depends on the sensitivity of the data transmitted through the SNS topic and the permissions associated with the compromised AWS account. This could result in financial loss, reputational damage, or legal repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;AWS SNS Rare Protocol Subscription by User\u0026quot; rule to your SIEM and tune the \u003ccode\u003ehistory_window_start\u003c/code\u003e to reduce false positives based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026quot;AWS SNS Rare Protocol Subscription by User\u0026quot; rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e fields to determine the actor and the protocol used.\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with users who trigger this alert to ensure the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMonitor CloudTrail logs for subsequent \u003ccode\u003ePublish\u003c/code\u003e actions on the same SNS topic to detect potential data exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eConfigure alerts for any unauthorized modifications to SNS topic policies or subscriptions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-22T12:00:00Z","date_published":"2024-11-22T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-aws-sns-rare-protocol/","summary":"A user subscribing to an SNS topic using a new protocol may indicate data exfiltration or unauthorized access by an adversary aiming to collect sensitive information or exfiltrate data.","title":"AWS SNS Rare Protocol Subscription by User","url":"https://feed.craftedsignal.io/briefs/2024-11-aws-sns-rare-protocol/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon Simple Notification Service"],"_cs_severities":["medium"],"_cs_tags":["aws","sns","lateral-movement","exfiltration","impact"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection rule identifies when a user or role publishes a message to an Amazon Simple Notification Service (SNS) topic for the first time. Attackers may abuse SNS topics for various malicious purposes, including internal spearphishing, data exfiltration, or lateral movement within the AWS environment. SNS topics are used to send notifications and messages to subscribed endpoints such as applications, mobile devices, or email addresses. A successful attack could lead to sensitive data being exposed or malicious content being distributed to a wide range of recipients. This rule leverages a \u0026quot;new terms\u0026quot; approach, focusing on identifying previously unseen behavior to surface potentially suspicious activity. It helps security teams detect unusual SNS activity and investigate potential security breaches in AWS environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment, potentially through compromised credentials or exploiting a misconfigured IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers accessible SNS topics within the AWS environment using AWS CLI or SDKs.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an SNS topic with a broad subscription base, such as one connected to an internal communications channel.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes a malicious message to the SNS topic using the AWS CLI, SDK, or AWS Management Console, utilizing a rare or new user account.\u003c/li\u003e\n\u003cli\u003eThe SNS service delivers the message to all subscribed endpoints, including applications, mobile devices, or email addresses.\u003c/li\u003e\n\u003cli\u003eRecipients of the malicious message may be tricked into clicking on a phishing link or downloading malicious content, leading to further compromise of their systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the compromised systems for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves impact by spreading malware, stealing sensitive information, or disrupting business operations through the compromised systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting SNS topics can lead to several negative consequences. Internal spearphishing attacks could compromise employees and sensitive data. Data exfiltration through SNS messages may lead to regulatory violations and reputational damage. Resource hijacking could allow attackers to leverage AWS resources for malicious purposes, increasing costs and potentially disrupting services. Organizations in any sector that rely on AWS for their infrastructure are vulnerable, and the number of potential victims depends on the scope and reach of the SNS topic subscriptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for SNS data events to ensure the necessary logs are captured (reference: setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect rare users publishing SNS messages (reference: rules section). Tune the \u003ccode\u003ehistory_window_start\u003c/code\u003e parameter in the rule to match your environment's baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.resources.arn\u003c/code\u003e to identify the actor and SNS topic involved (reference: rule.investigation_fields).\u003c/li\u003e\n\u003cli\u003eReview IAM policies associated with users and roles publishing to SNS topics to ensure appropriate permissions are enforced and minimize potential misuse (reference: T1534, T1496).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual API calls related to SNS, such as \u003ccode\u003eAssumeRole\u003c/code\u003e or \u003ccode\u003eCreateAccessKey\u003c/code\u003e, associated with the rare user (reference: T1102).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-sns-rare-user/","summary":"This rule identifies when an SNS topic message is published by a rare user in AWS, which may indicate lateral movement, data exfiltration, or phishing campaigns, potentially leading to resource hijacking and impact on cloud services.","title":"AWS SNS Topic Message Publish by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-sns-rare-user/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple Notification Service"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","sns","resource-development","impact"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis detection identifies when an AWS Simple Notification Service (SNS) topic is created by a user or role that doesn't typically perform this action. Adversaries might create SNS topics to stage capabilities for data exfiltration, lateral movement, or other malicious activities within the AWS environment. This detection leverages a \u0026quot;New Terms\u0026quot; rule, specifically designed to flag the initial occurrence of this behavior for a given user or role within an AWS account. The rule focuses on identifying anomalous SNS topic creation events, providing an early warning signal for potentially malicious activity related to resource development within AWS. It is triggered by the \u003ccode\u003eCreateTopic\u003c/code\u003e event in AWS CloudTrail logs, ensuring comprehensive coverage of SNS topic creation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exposed IAM role. (T1566)\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a new SNS topic using the AWS CLI, SDK, or Console. The \u003ccode\u003eCreateTopic\u003c/code\u003e API call is made.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCreateTopic\u003c/code\u003e request includes parameters such as the topic name, display name, and other attributes related to the SNS topic configuration.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eCreateTopic\u003c/code\u003e event, capturing details such as the user identity (ARN, type, access key ID), source IP, user agent, and request parameters.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;New Terms\u0026quot; rule analyzes the CloudTrail logs and identifies that the user or role creating the SNS topic has not previously performed this action within the observed timeframe.\u003c/li\u003e\n\u003cli\u003eThe newly created SNS topic can be used by the attacker to subscribe to events and receive notifications about activities within the AWS environment. (T1496)\u003c/li\u003e\n\u003cli\u003eThe attacker can then configure the SNS topic to trigger Lambda functions or S3 events, which allows persistence in the environment.\u003c/li\u003e\n\u003cli\u003eUltimately, the adversary may use the SNS topic for data exfiltration, lateral movement, or other malicious purposes, leveraging the messaging capabilities of SNS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to stage capabilities within the AWS environment. While creating an SNS topic is not inherently malicious, it can be a precursor to more serious attacks. Depending on the subsequent actions taken by the attacker, this could lead to data exfiltration, resource hijacking, or other forms of impact within the AWS infrastructure. The severity depends on the scope of access available to the compromised user or role and the configurations of the newly created SNS topic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect unusual SNS topic creation activities (see rule: \u0026quot;AWS SNS Topic Created by Rare User\u0026quot;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user identity, source IP, and request parameters associated with the SNS topic creation event.\u003c/li\u003e\n\u003cli\u003eMonitor for further SNS modifications, such as Publish or Subscribe events, following the initial topic creation event (see Overview).\u003c/li\u003e\n\u003cli\u003eEnforce least privilege IAM policies and enable multi-factor authentication (MFA) to reduce the risk of unauthorized access to AWS resources (see Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/","summary":"An AWS SNS topic was created by a user who does not typically perform this action, potentially indicating resource development for data exfiltration or other malicious activities.","title":"AWS SNS Topic Created by Rare User","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-sns-topic-rare-user/"}],"language":"en","title":"CraftedSignal Threat Feed - Sns","version":"https://jsonfeed.org/version/1.1"}