AWS Threat Hunting Ideas: SQS

Overview:

The following are some threat hunting ideas for the SQS service.

1. Unauthorized Queue Creation (CreateQueue)

  • Goal: Detect unauthorized SQS queue creation, which could be used for malicious purposes.

  • CloudTrail Event: CreateQueue

  • Hunting Idea:

    • Look for CreateQueue events initiated by unusual users or during off-hours.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateQueue
    • Monitor for large numbers of queues being created suddenly, indicating possible abuse or misconfiguration.

2. Queue Policy Modification (SetQueueAttributes)

  • Goal: Detect unauthorized modifications to queue attributes or policies.

  • CloudTrail Event: SetQueueAttributes

  • Hunting Idea:

    • Hunt for changes that make queues publicly accessible or remove security controls.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=SetQueueAttributes
    • Investigate changes to policies that allow cross-account access.

3. Suspicious Message Consumption (ReceiveMessage)

  • Goal: Detect unauthorized or unexpected message consumption from queues.

  • CloudTrail Event: ReceiveMessage

  • Hunting Idea:

    • Identify high-frequency ReceiveMessage events, which may indicate data scraping or abuse.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ReceiveMessage
    • Look for message consumption from unexpected users or roles.

4. Deleting Messages from Queues (DeleteMessage/DeleteMessageBatch)

  • Goal: Detect attackers removing messages to disrupt workflows or hide activities.

  • CloudTrail Event: DeleteMessage, DeleteMessageBatch

  • Hunting Idea:

    • Monitor for large-scale or unauthorized DeleteMessage events that may disrupt critical operations.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteMessage

5. Deleting Queues (DeleteQueue)

  • Goal: Detect attackers deleting queues to disrupt workflows or remove evidence.

  • CloudTrail Event: DeleteQueue

  • Hunting Idea:

    • Monitor for DeleteQueue events, especially involving critical queues.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteQueue
    • Cross-reference with other events to detect if the deletion is part of a larger attack.

6. Unauthorized Access (AddPermission/RemovePermission)

  • Goal: Detect unauthorized permission changes to SQS queues.

  • CloudTrail Event: AddPermission, RemovePermission

  • Hunting Idea:

    • Monitor AddPermission events for actions that grant cross-account access or make the queue publicly accessible.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddPermission
    • Investigate RemovePermission events to detect potential privilege reduction attempts.

7. Message Injection or Spamming (SendMessage/SendMessageBatch)

  • Goal: Detect unauthorized message injection or spam messages disrupting the system.

  • CloudTrail Event: SendMessage, SendMessageBatch

  • Hunting Idea:

    • Look for unexpected or high-frequency SendMessage events from unknown sources.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=SendMessage
    • Identify cases where batch messages flood a queue, causing disruptions.

8. Changes to Dead-Letter Queues (SetQueueAttributes)

  • Goal: Detect unauthorized changes to dead-letter queues (DLQs) used for error handling.

  • CloudTrail Event: SetQueueAttributes

  • Hunting Idea:

    • Monitor SetQueueAttributes events for changes that disable or redirect dead-letter queues.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=SetQueueAttributes

9. Cross-Account Queue Access Abuse (AddPermission)

  • Goal: Detect attackers attempting to grant cross-account access to SQS queues.

  • CloudTrail Event: AddPermission

  • Hunting Idea:

    • Identify AddPermission events that allow cross-account access or anonymous usage.

      aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AddPermission
    • Investigate permissions granted to unknown AWS accounts or public access.

Last updated