T1496.004 Google Chronicle · YARA-L

Detect Cloud Service Hijacking in Google Chronicle

Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, impacting hosted service availability and incurring significant financial costs for victims. Primary attack vectors include: (1) Email/SMS spam campaigns abusing AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio to send bulk phishing or spam messages using the victim's service quotas and sending reputation; (2) LLMJacking, where adversaries use stolen cloud credentials to proxy AI model inference requests (AWS Bedrock, Azure OpenAI) through reverse proxies, effectively monetizing access to expensive LLM compute while billing the victim; (3) Enabling previously inactive cloud SaaS services and immediately exploiting them at scale. Threat actor DangerDev (documented by Invictus IR) abused AWS SES for large-scale phishing campaigns, SNS Sender toolkits (documented by SentinelOne) enable SMS pumping at scale, and LLMJacking campaigns (documented by Sysdig and Lacework) demonstrate adversaries reselling stolen LLM API access.

MITRE ATT&CK

Tactic
Impact
Technique
T1496 Resource Hijacking
Sub-technique
T1496.004 Cloud Service Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1496/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cloud_service_hijacking_aws_ses_high_volume {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects high-volume AWS SES email sending (>100 successful calls per identity per hour) indicating spam or phishing campaigns. MITRE ATT&CK T1496.004 Cloud Service Hijacking — Impact tactic. Documented threat actor: DangerDev (Invictus IR)."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "Bulk marketing email sends, transactional notification systems during peak traffic"

  events:
    $e.metadata.product_name = "AWS CloudTrail"
    $e.target.application in nocase ["ses.amazonaws.com"]
    $e.metadata.product_event_type in nocase [
      "SendEmail", "SendRawEmail", "SendBulkTemplatedEmail",
      "SendBulkEmail", "SendTemplatedEmail"
    ]
    NOT $e.security_result.action = "BLOCK"
    $user_arn = $e.principal.user.userid
    $region = $e.principal.location.name

  match:
    $user_arn, $region over 1h

  condition:
    #e > 100
}

rule cloud_service_hijacking_aws_sns_sms_pumping {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects high-volume AWS SNS publishing (>200 successful calls per identity per hour) indicating SMS pumping or bulk spam campaigns. MITRE ATT&CK T1496.004 Cloud Service Hijacking — Impact tactic. Documented toolkits: SNS Sender (SentinelOne research)."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "SMS OTP systems, mobile push notification infrastructure, CloudWatch alarm fanout"

  events:
    $e.metadata.product_name = "AWS CloudTrail"
    $e.target.application in nocase ["sns.amazonaws.com"]
    $e.metadata.product_event_type in nocase ["Publish", "PublishBatch"]
    NOT $e.security_result.action = "BLOCK"
    $user_arn = $e.principal.user.userid
    $region = $e.principal.location.name

  match:
    $user_arn, $region over 1h

  condition:
    #e > 200
}

rule cloud_service_hijacking_aws_bedrock_llmjacking {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects high-frequency AWS Bedrock LLM invocations (>50 successful calls per identity per hour) indicating LLMJacking — adversaries using stolen credentials to proxy AI model inference and resell access. MITRE ATT&CK T1496.004. Documented campaigns by Sysdig and Lacework."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "CRITICAL"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "ML batch inference pipelines, model evaluation jobs, AI-powered application backends during traffic spikes"

  events:
    $e.metadata.product_name = "AWS CloudTrail"
    $e.target.application in nocase ["bedrock.amazonaws.com"]
    $e.metadata.product_event_type in nocase [
      "InvokeModel", "InvokeModelWithResponseStream",
      "CreateModelInvocationJob", "InvokeAgent"
    ]
    NOT $e.security_result.action = "BLOCK"
    $user_arn = $e.principal.user.userid
    $region = $e.principal.location.name

  match:
    $user_arn, $region over 1h

  condition:
    #e > 50
}

rule cloud_service_hijacking_enable_then_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects the DangerDev pattern: a cloud SaaS service (SES, SNS, Bedrock) is enabled or configured by an identity, followed within 6 hours by high-volume API usage from the same identity. Indicates adversaries enabling previously dormant services to abuse at scale immediately after gaining access. MITRE ATT&CK T1496.004."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1496.004"
    severity = "CRITICAL"
    reference = "https://attack.mitre.org/techniques/T1496/004/"
    false_positives = "Infrastructure-as-code deployments that provision and immediately test SaaS service endpoints"

  events:
    $enable.metadata.product_name = "AWS CloudTrail"
    $enable.metadata.product_event_type in nocase [
      "CreateEmailIdentity", "VerifyEmailIdentity", "PutIdentityPolicy",
      "SetSMSAttributes", "CreateTopic",
      "PutFoundationModelEntitlement", "CreateFoundationModelAgreement",
      "PutModelInvocationLoggingConfiguration"
    ]
    NOT $enable.security_result.action = "BLOCK"

    $abuse.metadata.product_name = "AWS CloudTrail"
    $abuse.target.application in nocase [
      "ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com"
    ]
    $abuse.metadata.product_event_type in nocase [
      "SendEmail", "SendRawEmail", "Publish", "PublishBatch",
      "InvokeModel", "InvokeModelWithResponseStream"
    ]
    NOT $abuse.security_result.action = "BLOCK"

    $enable.principal.user.userid = $abuse.principal.user.userid
    $enable.metadata.event_timestamp.seconds < $abuse.metadata.event_timestamp.seconds

    $user_arn = $enable.principal.user.userid

  match:
    $user_arn over 6h

  condition:
    #abuse > 10
}
critical severity high confidence

Four YARA-L 2.0 rules detecting Cloud Service Hijacking (T1496.004) in Google Chronicle via UDM events sourced from AWS CloudTrail: (1) SES high-volume email sending >100/hr per identity/region (spam or phishing); (2) SNS high-volume publishing >200/hr per identity/region (SMS pumping); (3) Bedrock LLM invocations >50/hr per identity/region (LLMJacking — documented by Sysdig/Lacework); (4) service enablement followed by >10 usage events within 6 hours (DangerDev pattern — documented by Invictus IR). Rules use UDM fields: metadata.product_name, target.application, metadata.product_event_type, principal.user.userid, principal.location.name. The fourth rule uses Chronicle's cross-event correlation to sequence enablement before abuse by the same identity.

Data Sources

AWS CloudTrail

Required Tables

UDM events (metadata.product_name = 'AWS CloudTrail')

False Positives & Tuning

  • Terraform or CloudFormation deployments that call CreateEmailIdentity and then immediately validate the SES configuration with a test send — exclude known IaC execution role ARNs from rule 4
  • High-traffic production applications using SES or SNS through shared IAM roles will exceed thresholds during peak usage periods — create Chronicle reference lists for known high-volume service account ARNs
  • Bedrock-backed AI features in production SaaS products may exceed 50 invocations/hr during user traffic spikes — correlate with CloudWatch application metrics and exclude production service role ARNs
Download portable Sigma rule (.yml)

Other platforms for T1496.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS SES High-Volume Email Sending Simulation

    Expected signal: AWS CloudTrail: 10 events with EventName=SendEmail, EventSource=ses.amazonaws.com, originating from the caller IAM ARN and source IP. CloudWatch Metrics: SES NumberOfEmailsSent increments by 10. Sentinel AWSCloudTrail table: events appear within 5 minutes of AWS CloudTrail delivery delay.

  2. Test 2AWS SNS SMS Publishing Burst with Promotional Configuration

    Expected signal: AWS CloudTrail: SetSMSAttributes event (RequestParameters shows DefaultSMSType=Promotional), CreateTopic event with TopicName=argus-t1496004-test, and 5 x Publish events, all from the same IAM ARN within a short time window. CloudWatch: SNS NumberOfMessagesSent and SMSMonthToDateSpentUSD metrics increment.

  3. Test 3AWS Bedrock LLM Invocation Burst (LLMJacking Simulation)

    Expected signal: AWS CloudTrail: 15 x EventName=InvokeModel, EventSource=bedrock.amazonaws.com, with ModelId=amazon.titan-text-lite-v1 in RequestParameters, all from same IAM ARN and source IP. CloudWatch: Bedrock InvocationCount metric increments by 15. If Bedrock invocation logging is enabled, S3 or CloudWatch Logs capture input prompts and responses.

  4. Test 4SES Service Enablement Then Immediate Abuse Pattern

    Expected signal: AWS CloudTrail: CreateEmailIdentity event followed within seconds by SendEmail event (possibly ErrorCode=MessageRejected if unverified), then GetEmailIdentity event — all from same IAM ARN and source IP within a 1-2 minute window. The sub-minute gap between CreateEmailIdentity and SendEmail is the key forensic indicator.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1496.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1496Resource Hijacking

Related Sub-techniques

T1496.001Compute HijackingT1496.002Bandwidth HijackingT1496.003SMS Pumping

Related Techniques

T1496Resource HijackingT1496.003SMS PumpingT1496.001Compute HijackingT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1078.004Cloud AccountsT1552.005Cloud Instance Metadata APIT1098.001Additional Cloud CredentialsT1562.008Disable or Modify Cloud LogsT1580Cloud Infrastructure DiscoveryT1619Cloud Storage Object Discovery

Same Tactic: Impact

Popular Detections