security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da07164ce0d651bf72691bac1cfcafbf20249de
blue-team-tools/rules/cloud/aws/aws_ses_messaging_enabled.yml
T
BlueTeamOps 05135ec828 Further improved several AWS rules (#3827) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2022-12-28 19:46:36 +01:00

28 lines
972 B
YAML
Raw Blame History

title: Potential AWS Cloud Email Service Abuse
id: 60b84424-a724-4502-bd0d-cc676e1bc90e
status: experimental
description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022/12/12
modified: 2022/12/28
tags:
- attack.t1583.006
- attack.resource_development
logsource:
product: aws
service: cloudtrail
detection:
selection1:
eventSource: 'ses.amazonaws.com'
eventName: 'UpdateAccountSendingEnabled'
selection2:
eventSource: 'ses.amazonaws.com'
eventName: 'VerifyEmailIdentity'
timeframe: 5m
condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events
falsepositives:
- Legitimate SES configuration activity
level: medium
Reference in New Issue View Git Blame Copy Permalink