T1496.003 CrowdStrike LogScale · LogScale

Detect SMS Pumping in CrowdStrike LogScale

Adversaries may leverage messaging services for SMS pumping, a telecommunications fraud technique where the attacker first obtains a block of phone numbers from a carrier, then abuses a victim's SMS infrastructure to generate large volumes of messages to those numbers. The adversary earns per-message payments from the carrier proportional to traffic volume. Attack vectors typically target public-facing web forms — OTP verification, account confirmation, password reset — backed by services such as Twilio, AWS SNS, or Amazon Cognito. Indicators include a spike in SMS API calls from a small set of source IPs, sequential or numerically adjacent destination phone numbers, destination numbers concentrated in high-fraud carrier prefixes, and a sharp increase in SMS-related cloud spend. Unlike volumetric DoS, SMS pumping is financially motivated: the attacker profits directly from the victim's messaging bill.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Sub-technique
T1496.003 SMS Pumping
Canonical reference
https://attack.mitre.org/techniques/T1496/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: High-frequency DNS lookups to SMS provider API domains (primary signal)
(#event_simpleName = "DnsRequest"
| DomainName = /(?i)(api\.twilio\.com|sns\.amazonaws\.com|rest\.nexmo\.com|api\.vonage\.com|api\.plivo\.com|messaging\.bandwidth\.com|api\.telnyx\.com|rest\.messagebird\.com|eu\.api\.sinch\.com|api\.infobip\.com)/
| groupBy(
    [aid, ComputerName, DomainName],
    function=[
      count(as=EventCount),
      dc(ContextProcessId, as=UniqueProcesses),
      collect(FileName, limit=10),
      min(ContextTimeStamp, as=FirstSeen),
      max(ContextTimeStamp, as=LastSeen)
    ]
  )
| where EventCount > 50
| eval DetectionBranch = "DNSLookup-SMSProvider"
| eval RiskScore = if(EventCount > 1000, "Critical", if(EventCount > 500, "High", "Medium")))
| union [
// Branch 2: High-volume outbound TCP connections from application processes
  #event_simpleName = "NetworkConnectIP4"
  | RemotePort in [443, 80, 8443]
  | TargetProcessName = /(?i)\.(exe|py|rb|js|jar|sh|php)$/
  | groupBy(
      [aid, ComputerName, RemoteAddressIP4, TargetProcessName],
      function=[
        count(as=EventCount),
        dc(RemotePort, as=UniquePorts),
        min(ContextTimeStamp, as=FirstSeen),
        max(ContextTimeStamp, as=LastSeen)
      ]
    )
  | where EventCount > 200
  | eval DetectionBranch = "NetworkConnect-HighVolumeHTTPS"
  | eval RiskScore = if(EventCount > 2000, "Critical", if(EventCount > 1000, "High", "Medium"))
]
| sort(EventCount, order=desc)
high severity medium confidence

Detects T1496.003 SMS Pumping in CrowdStrike Falcon LogScale (CQL) via two complementary branches. Branch 1 (higher fidelity) identifies hosts performing more than 50 DNS lookups to known SMS provider API domains (Twilio, AWS SNS, Vonage, Plivo, etc.) within the query window — this strongly indicates application-layer SMS API abuse running on that host. Branch 2 (broader coverage) identifies application-process-originated outbound TCP connections to ports 443/80 exceeding 200 connections per remote IP, catching cases where DNS is resolved externally or cached. Results from both branches are unioned and sorted by event count. Tune Branch 1 threshold (>50) against the DNS lookup baseline for legitimate application servers in your environment. Branch 2 requires process context filtering to reduce noise from general web traffic.

Data Sources

CrowdStrike Falcon Sensor DnsRequest events (#event_simpleName=DnsRequest)CrowdStrike Falcon Sensor NetworkConnectIP4 events (#event_simpleName=NetworkConnectIP4)CrowdStrike Falcon Sensor ProcessRollup2 events for process context enrichment

Required Tables

DnsRequest (#event_simpleName)NetworkConnectIP4 (#event_simpleName)

False Positives & Tuning

  • Application servers running legitimate notification services (e.g., a Node.js backend sending transactional SMS for e-commerce orders) will generate sustained high DNS lookup volumes to Twilio or SNS — establish per-ComputerName baselines and tune the EventCount threshold or exclude known application server AIDs via a suppression list
  • Security scanning or asset discovery tools that enumerate cloud API endpoints and generate DNS lookups as a side effect of HTTP fingerprinting modules during authorized scanning windows
  • Microservice health-check frameworks (e.g., Consul, Kubernetes liveness probes) that repeatedly resolve SMS provider hostnames to verify DNS reachability as part of dependency readiness checks, producing steady low-rate lookup volumes that briefly spike during pod restarts
  • CI/CD pipeline agents running integration tests that invoke live SMS provider APIs against test-mode credentials during automated build pipelines, generating repeated lookups from the same agent host
Download portable Sigma rule (.yml)

Other platforms for T1496.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS SNS Publish Burst to Phone Number via CLI

    Expected signal: AWS CloudTrail: 15 eventName=Publish events from eventSource=sns.amazonaws.com within ~5 seconds, each with requestParameters containing phoneNumber=+15550001234 and message content. Events appear in CloudTrail within ~15 minutes. SNS CloudWatch metric NumberOfMessagesSentToPhoneNumbers increments by 15. SMSMonthToDateSpentUSD increases.

  2. Test 2Amazon Cognito ForgotPassword OTP Flood

    Expected signal: AWS CloudTrail: up to 20 eventName=ForgotPassword events from eventSource=cognito-idp.amazonaws.com within ~10 seconds, all sharing the same sourceIPAddress. requestParameters.username will be consistent across all events. Cognito may throttle after ~5 rapid requests, generating ThrottlingException errors also visible in CloudTrail.

  3. Test 3OTP Form Endpoint Burst via curl Parallel Requests

    Expected signal: Application Insights AppRequests table: 60 request entries for /api/auth/send-otp with identical ClientIP (local machine), ResultCode 200 or 429 (rate-limited), arriving within a ~15-second window. Telemetry visible in Application Insights within 1-2 minutes. If Application Insights SDK is not instrumented in the local app, substitute with reviewing the application access log.

  4. Test 4Twilio REST API SMS Burst

    Expected signal: Twilio Console: 5 outbound messages visible under Monitor > Logs > Messaging Logs within seconds. Twilio REST API: GET /2010-04-01/Accounts/{AccountSid}/Messages.json returns 5 records with Direction=outbound-api, Status=delivered or sent. Twilio usage record increments SMSSent by 5. NOTE: Direct Twilio API calls do NOT generate AWS CloudTrail or Azure Diagnostic events — detection requires Twilio Event Streams ingested into SIEM or Twilio's native fraud scoring dashboard.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1496.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1496Resource Hijacking

Related Sub-techniques

T1496.001Compute HijackingT1496.002Bandwidth HijackingT1496.004Cloud Service Hijacking

Related Techniques

T1496Resource HijackingT1496.001Compute HijackingT1496.002Bandwidth HijackingT1499.003Application Exhaustion FloodT1078.004Cloud AccountsT1190Exploit Public-Facing ApplicationT1110.004Credential Stuffing

Same Tactic: Impact

Popular Detections