Techniques
Sample rules
AWS SNS Rare Protocol Subscription by User
- source: elastic
- technicques:
- T1496
- T1530
- T1567
Description
Identifies when a use subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "sns.amazonaws.com"
and event.action: "Subscribe"
and event.outcome: "success"