☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview:
  • 1. Unauthorized Topic Creation (CreateTopic)
  • 2. Suspected Data Exfiltration (Publish)
  • 3. Unauthorized Topic Deletion (DeleteTopic)
  • 4. Suspicious Subscription Modifications (Subscribe/Unsubscribe)
  • 5. Modifying Topic Policies (SetTopicAttributes)
  • 6. Enabling or Disabling Logging (SetTopicAttributes)
  • 7. Cross-Account Access Grant (AddPermission/RemovePermission)
  • 8. Unusual Topic Usage (Publish)
  • 9. Unauthorized Delivery Protocol Changes (SetSubscriptionAttributes)
  • 10. Message Flooding (Publish/Subscribe)
  1. Threat Hunting in AWS
  2. AWS Threat Hunting Ideas

AWS Threat Hunting Ideas: SNS

Overview:

The following are some threat hunting ideas for the SNS service.

1. Unauthorized Topic Creation (CreateTopic)

  • Goal: Detect unauthorized creation of SNS topics for malicious purposes.

  • CloudTrail Event: CreateTopic

  • Hunting Idea:

    • Identify topics created by unexpected users or during unusual times.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateTopic

    • Monitor for a sudden spike in topic creation, which may indicate an automated attack or misuse.

2. Suspected Data Exfiltration (Publish)

  • Goal: Detect data exfiltration attempts by sending sensitive data through SNS topics.

  • CloudTrail Event: Publish

  • Hunting Idea:

    • Look for Publish events containing large payloads or frequent invocations from unknown users.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Publish

    • Correlate with other data exfiltration indicators (e.g., unusual traffic in VPC Flow Logs).

3. Unauthorized Topic Deletion (DeleteTopic)

  • Goal: Detect attempts to delete SNS topics to disrupt communication or hide malicious activity.

  • CloudTrail Event: DeleteTopic

  • Hunting Idea:

    • Monitor for DeleteTopic events on critical topics, especially during off-hours.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteTopic

    • Cross-reference with other logs to check if topic deletion is part of a larger attack.

4. Suspicious Subscription Modifications (Subscribe/Unsubscribe)

  • Goal: Detect unauthorized changes to SNS subscriptions.

  • CloudTrail Events: Subscribe, Unsubscribe

  • Hunting Idea:

    • Monitor Subscribe events to ensure only authorized entities subscribe to topics.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Subscribe

    • Investigate Unsubscribe events to ensure critical subscriptions are not removed maliciously.

5. Modifying Topic Policies (SetTopicAttributes)

  • Goal: Detect unauthorized policy changes that might expose SNS topics.

  • CloudTrail Event: SetTopicAttributes

  • Hunting Idea:

    • Hunt for changes that make topics publicly accessible or reduce security controls.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=SetTopicAttributes

    • Look for cross-account access granted to unknown AWS accounts.

6. Enabling or Disabling Logging (SetTopicAttributes)

  • Goal: Detect disabling of SNS delivery status logging to hide malicious activity.

  • CloudTrail Event: SetTopicAttributes

  • Hunting Idea:

    • Monitor changes to delivery status logging configuration to ensure logging remains enabled.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=SetTopicAttributes

7. Cross-Account Access Grant (AddPermission/RemovePermission)

  • Goal: Detect unauthorized permissions allowing cross-account access to SNS topics.

  • CloudTrail Events: AddPermission, RemovePermission

  • Hunting Idea:

    • Monitor AddPermission events to ensure cross-account access is not granted without approval.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddPermission

    • Look for RemovePermission events targeting security-critical topics.

8. Unusual Topic Usage (Publish)

  • Goal: Detect anomalies in topic usage patterns.

  • CloudTrail Event: Publish

  • Hunting Idea:

    • Identify topics with an unusually high rate of Publish events, which could indicate abuse.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Publish

    • Correlate with CloudWatch metrics to spot performance issues or misuse.

9. Unauthorized Delivery Protocol Changes (SetSubscriptionAttributes)

  • Goal: Detect changes in delivery protocols (e.g., switching from HTTPS to HTTP) that reduce security.

  • CloudTrail Event: SetSubscriptionAttributes

  • Hunting Idea:

    • Monitor changes in subscription protocols, especially if switched to less secure protocols.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=SetSubscriptionAttributes

10. Message Flooding (Publish/Subscribe)

  • Goal: Detect message flooding or DoS attacks using SNS topics.

  • CloudTrail Events: Publish, Subscribe

  • Hunting Idea:

    • Hunt for a sudden spike in Publish events or large-scale subscriptions that may indicate flooding.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=Publish

    • Look for patterns where multiple unknown accounts subscribe to the same topic.

PreviousAWS Threat Hunting Ideas: SQSNextAWS Threat Hunting Ideas: RDS

Last updated 8 months ago