<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sqs - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/sqs/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/sqs/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS SQS Queue Purge Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-sqs-queue-purge/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-sqs-queue-purge/</guid><description>Detection of AWS Simple Queue Service (SQS) queue purging, which adversaries may leverage to disrupt application workflows, destroy operational data, or impair monitoring and alerting systems by removing critical evidence of malicious activity.</description><content:encoded><![CDATA[<p>This alert detects the purging of an AWS Simple Queue Service (SQS) queue. AWS SQS is a managed message queuing service commonly used to decouple services and buffer events across distributed and serverless architectures. Adversaries may abuse the <code>PurgeQueue</code> action to remove messages, potentially disrupting application workflows, destroying operational data, or impairing security monitoring and alerting by deleting audit and security events. Defenders should investigate unexpected <code>PurgeQueue</code> events, especially in production environments, to determine whether the action aligns with documented procedures and expected operational behavior. The rule focuses on successful <code>PurgeQueue</code> events within AWS CloudTrail logs and should be deployed to monitor critical SQS queues.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an AWS account through compromised credentials or a misconfigured IAM role.</li>
<li>The attacker identifies SQS queues that contain valuable operational or security-related data.</li>
<li>The attacker uses the <code>aws sqs purge-queue</code> command or AWS API to purge the targeted queue.</li>
<li>The <code>PurgeQueue</code> API call is logged as a <code>PurgeQueue</code> event in AWS CloudTrail.</li>
<li>All messages within the targeted SQS queue are permanently deleted.</li>
<li>Downstream systems that rely on messages from the purged queue experience disruption or data loss.</li>
<li>Security monitoring systems that ingest logs from the purged queue miss critical security events.</li>
<li>The attacker further exploits the environment, potentially performing data exfiltration or other malicious activities, with reduced visibility due to the purged logs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful purging of an SQS queue can lead to significant disruption of application workflows and data loss. If the queue contains security-related logs, it can impair monitoring and alerting capabilities, allowing adversaries to operate with reduced visibility. The impact can range from temporary service interruptions to the permanent loss of critical operational data, depending on the purpose and content of the purged queue. This activity could affect a wide range of sectors using AWS SQS, including e-commerce, finance, and healthcare.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS SQS Queue Purge Detected&quot; to your SIEM and tune it for your environment to detect unauthorized queue purges in near real-time.</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>access_key_id</code> in CloudTrail logs to determine the identity that initiated the <code>PurgeQueue</code> action.</li>
<li>Reinforce least-privilege IAM policies to limit which identities can perform the <code>PurgeQueue</code> action, as outlined in the AWS Knowledge Center – Security Best Practices.</li>
<li>Enhance monitoring and alerting for destructive SQS actions, especially in production environments, using CloudTrail and CloudWatch.</li>
<li>Investigate events where <code>event.action</code> is <code>PurgeQueue</code> and <code>event.outcome</code> is <code>success</code> in AWS CloudTrail logs.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>sqs</category><category>defense-evasion</category><category>impact</category></item></channel></rss>