administrators may purge sqs queues for legitimate reasons, such as removing outdated or sensitive data.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS SQS Queue Purge

source: elastic
technicques:
- T1562

Description

Identifies when an AWS Simple Queue Service (SQS) queue is purged. Adversaries may purge SQS queues to disrupt operations, delete messages, or impair monitoring and alerting mechanisms. This action can be used to evade detection and cover tracks by removing evidence of malicious activities.

Detection logic

event.dataset:"aws.cloudtrail"
    and event.provider:"sqs.amazonaws.com"
    and event.action:"PurgeQueue"
    and event.outcome:"success"