rules/cloud/aws/aws_ses_messaging_enabled.yml

title: Potential AWS Cloud Email Service Abuse
id: 60b84424-a724-4502-bd0d-cc676e1bc90e
status: experimental
description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
references:
    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/12
modified: 2022/12/28
tags:
    - attack.t1583.006
    - attack.resource_development
logsource:
    product: aws
    service: cloudtrail
detection:
    selection1:
        eventSource: 'ses.amazonaws.com'
        eventName: 'UpdateAccountSendingEnabled'
    selection2:
        eventSource: 'ses.amazonaws.com'
        eventName: 'VerifyEmailIdentity'
    timeframe: 5m
    condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events
falsepositives:
    - Legitimate SES configuration activity
level: medium
Further improved several AWS rules (#3827 ) 2022-12-29 05:46:36 +11:00			`title: Potential AWS Cloud Email Service Abuse`
fix: duplicate id 2022-12-16 10:32:18 +01:00			`id: 60b84424-a724-4502-bd0d-cc676e1bc90e`
$frack113$ Change to LF 2022-12-16 09:24:19 +01:00			`status: experimental`
Further improved several AWS rules (#3827 ) 2022-12-29 05:46:36 +11:00			`description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession`
$frack113$ Change to LF 2022-12-16 09:24:19 +01:00			`references:`
			`- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/`
			`author: Janantha Marasinghe`
			`date: 2022/12/12`
Further improved several AWS rules (#3827 ) 2022-12-29 05:46:36 +11:00			`modified: 2022/12/28`
$frack113$ Change to LF 2022-12-16 09:24:19 +01:00			`tags:`
			`- attack.t1583.006`
			`- attack.resource_development`
			`logsource:`
			`product: aws`
			`service: cloudtrail`
			`detection:`
			`selection1:`
fix: enhance metadata information 2022-12-23 11:01:57 +01:00			`eventSource: 'ses.amazonaws.com'`
$frack113$ Change to LF 2022-12-16 09:24:19 +01:00			`eventName: 'UpdateAccountSendingEnabled'`
			`selection2:`
fix: enhance metadata information 2022-12-23 11:01:57 +01:00			`eventSource: 'ses.amazonaws.com'`
$frack113$ Change to LF 2022-12-16 09:24:19 +01:00			`eventName: 'VerifyEmailIdentity'`
			`timeframe: 5m`
fix: enhance metadata information 2022-12-23 11:01:57 +01:00			`condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events`
$frack113$ Change to LF 2022-12-16 09:24:19 +01:00			`falsepositives:`
			`- Legitimate SES configuration activity`
			`level: medium`