New attack technique: SES enumeration activities #501
Conversation
Co-authored-by: Alessandro Brucato <alessandro.brucato@protonmail.com> Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
loresuso
changed the title
|
Thanks for the PR! Will review it in the coming days |
|
Thank you @christophetd! |
v2/internal/attacktechniques/aws/discovery/ses-enumerate/main.tf
Outdated
Show resolved
Hide resolved
|
When an attacker wants to enumerate SES, they can achieve the same outcome in two different ways:
Not sure which one we should be using, any thoughts? I've also asked in the Cloud Security Forum Slack |
|
@loresuso I've made a few changes to make enumeration slightly more aggressive, are you comfortable with the changes and can you have a look? Thanks! |
|
We are aware of the two alternatives, but initially thought to use GetSendQuota just because the GetAccount API call wasn't mentioned in the article we linked. Thinking about it, GetAccount should be better from an attacker's point of view because:
|
christophetd
force-pushed
the
ses-email-attack-technique
branch
from
6363dd1
to
0fa5252
Compare
|
By the way, thanks, the changes look good to me, especially the additional step with the |
|
I think everything is good, when you want we can get this merged :) @christophetd I also have another question: I believe we could also implement another technique where we try to send an email using |
|
If we can find evidence that it's been abused in the wild (e.g. write-up) yes it would be perfect |
What does this PR do?
New attack technique
Motivation
Attackers may use AWS SES to send phishing emails from a victim's AWS account. One of the objectives of the attackers could be sending as many emails as possible from a verified source to start a phishing campaign. Before doing that, and as described by this research , they can call some APIs for enumeration, like
ses:GetSendQuotaandses:ListIdentitiesChecklist