Enumerate SES

idempotent

Platform: AWS

MITRE ATT&CK Tactics

• Discovery

Description

Simulates an attacker enumerating SES. Attackers frequently use this enumeration technique after having compromised an access key, to use it to launch phishing campaigns or further resell stolen credentials.

Warm-up: None.

Detonation:

• Perform ses:GetAccountSendingEnabled to check if SES sending is enabled.
• Perform ses:GetSendQuota to discover the current email sending quotas.
• Perform ses:ListIdentities to discover the list of identities in the account.
• If identities are found, use ses:GetIdentityVerificationAttributes (only once) to discover verification status of each identity.

References:

• https://securitylabs.datadoghq.com/articles/following-attackers-trail-in-aws-methodology-findings-in-the-wild/#most-common-enumeration-techniques
• https://www.invictus-ir.com/news/ransomware-in-the-cloud
• https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/#post-125981-_kdq0vw6banab
• https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
• https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me

Instructions

Detonate with Stratus Red Team

stratus detonate aws.discovery.ses-enumerate

Detection

Through CloudTrail's GetAccountSendingEnabled, GetSendQuota and ListIdentities events. These can be considered suspicious especially when performed by a long-lived access key, or when the calls span across multiple regions.