-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New attack technique: SES enumeration activities #501
New attack technique: SES enumeration activities #501
Conversation
Co-authored-by: Alessandro Brucato <[email protected]> Signed-off-by: Lorenzo Susini <[email protected]>
Thanks for the PR! Will review it in the coming days |
Thank you @christophetd! |
v2/internal/attacktechniques/aws/discovery/ses-enumerate/main.tf
Outdated
Show resolved
Hide resolved
When an attacker wants to enumerate SES, they can achieve the same outcome in two different ways:
Not sure which one we should be using, any thoughts? I've also asked in the Cloud Security Forum Slack |
@loresuso I've made a few changes to make enumeration slightly more aggressive, are you comfortable with the changes and can you have a look? Thanks! |
We are aware of the two alternatives, but initially thought to use GetSendQuota just because the GetAccount API call wasn't mentioned in the article we linked. Thinking about it, GetAccount should be better from an attacker's point of view because:
|
6363dd1
to
0fa5252
Compare
By the way, thanks, the changes look good to me, especially the additional step with the |
I think everything is good, when you want we can get this merged :) @christophetd I also have another question: I believe we could also implement another technique where we try to send an email using |
If we can find evidence that it's been abused in the wild (e.g. write-up) yes it would be perfect |
What does this PR do?
New attack technique
Motivation
Attackers may use AWS SES to send phishing emails from a victim's AWS account. One of the objectives of the attackers could be sending as many emails as possible from a verified source to start a phishing campaign. Before doing that, and as described by this research , they can call some APIs for enumeration, like
ses:GetSendQuota
andses:ListIdentities
Checklist