Detect Cloud Service Hijacking in CrowdStrike LogScale
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, impacting hosted service availability and incurring significant financial costs for victims. Primary attack vectors include: (1) Email/SMS spam campaigns abusing AWS Simple Email Service (SES), AWS Simple Notification Service (SNS), SendGrid, and Twilio to send bulk phishing or spam messages using the victim's service quotas and sending reputation; (2) LLMJacking, where adversaries use stolen cloud credentials to proxy AI model inference requests (AWS Bedrock, Azure OpenAI) through reverse proxies, effectively monetizing access to expensive LLM compute while billing the victim; (3) Enabling previously inactive cloud SaaS services and immediately exploiting them at scale. Threat actor DangerDev (documented by Invictus IR) abused AWS SES for large-scale phishing campaigns, SNS Sender toolkits (documented by SentinelOne) enable SMS pumping at scale, and LLMJacking campaigns (documented by Sysdig and Lacework) demonstrate adversaries reselling stolen LLM API access.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1496 Resource Hijacking
- Sub-technique
- T1496.004 Cloud Service Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1496/004/
LogScale Detection Query
// High-volume SaaS service abuse: SES, SNS, Bedrock (branches 1-3)
#type="aws:cloudtrail"
| in(field=eventSource, values=["ses.amazonaws.com", "sns.amazonaws.com", "bedrock.amazonaws.com"])
| in(field=eventName, values=[
"SendEmail", "SendRawEmail", "SendBulkTemplatedEmail", "SendBulkEmail", "SendTemplatedEmail",
"Publish", "PublishBatch",
"InvokeModel", "InvokeModelWithResponseStream", "CreateModelInvocationJob", "InvokeAgent"
])
| !exists(errorCode)
| ServiceAbused := case {
eventSource = "ses.amazonaws.com" => "AWS SES";
eventSource = "sns.amazonaws.com" => "AWS SNS";
eventSource = "bedrock.amazonaws.com" => "AWS Bedrock";
* => "Unknown"
}
| AttackCategory := case {
ServiceAbused = "AWS SES" => "Email Spam or Phishing Campaign";
ServiceAbused = "AWS SNS" => "SMS Pumping or Bulk Spam";
ServiceAbused = "AWS Bedrock" => "LLM Resource Hijacking (LLMJacking)";
* => "SaaS Service Abuse"
}
| Threshold := case {
ServiceAbused = "AWS SES" => 100;
ServiceAbused = "AWS SNS" => 200;
ServiceAbused = "AWS Bedrock" => 50;
* => 50
}
| timeBucket := formatTime("%Y-%m-%d %H:00", field=@timestamp, timezone="UTC")
| groupBy(
[timeBucket, ServiceAbused, AttackCategory, Threshold, userIdentity.arn, userIdentity.type, sourceIPAddress, awsRegion],
function=[
count(as=EventCount),
uniqueCount(field=sourceIPAddress, as=UniqueIPs)
]
)
| EventCount > Threshold
| SuspicionScore := case {
EventCount > Threshold * 10 => 3;
EventCount > Threshold * 3 => 2;
* => 1
}
| SuspicionScore := if(UniqueIPs > 3, SuspicionScore + 1, SuspicionScore)
| SuspicionScore := if(regex("(AssumedRole|FederatedUser)", field=userIdentity.type), SuspicionScore + 1, SuspicionScore)
| SuspicionScore := if(regex("(temp|tmp|test|anon|random|burner)", field=userIdentity.arn), SuspicionScore + 1, SuspicionScore)
| sort(EventCount, order=desc, limit=200)
| select([timeBucket, ServiceAbused, AttackCategory, EventCount, Threshold, SuspicionScore, userIdentity.arn, userIdentity.type, UniqueIPs, sourceIPAddress, awsRegion])Detects Cloud Service Hijacking (T1496.004) in CrowdStrike LogScale by filtering AWS CloudTrail events to successful SES/SNS/Bedrock abuse operations, grouping into 1-hour buckets by service, caller ARN, source IP, and region, then applying service-specific thresholds (SES >100, SNS >200, Bedrock >50). SuspicionScore is computed by stacking risk signals: volume multiples over threshold (+1 at 3x, +1 at 10x), multiple source IPs suggesting proxy routing (+1), use of AssumedRole or FederatedUser identity types common in credential theft (+1), and temporary/anonymous ARN naming patterns (+1). Requires AWS CloudTrail data to be ingested into LogScale with #type=aws:cloudtrail. Fields reference standard CloudTrail JSON payload keys: eventSource, eventName, errorCode, userIdentity.arn, userIdentity.type, sourceIPAddress, awsRegion.
Data Sources
Required Tables
False Positives & Tuning
- Automated email delivery platforms using SES will spike EventCount during scheduled campaign sends — add known marketing IAM role ARN patterns to a LogScale lookup table and exclude them from threshold evaluation
- SNS-backed mobile notification systems generating burst Publish events during app launches, breaking news alerts, or A/B test fanout — correlate with application deployment logs and create time-window exclusions
- Bedrock-powered production features (chatbots, content moderation, search) will generate high InvokeModel volumes during traffic spikes — build a baseline per ARN using the LogScale anomaly detection function and alert only on deviations above 3 standard deviations rather than static thresholds
Other platforms for T1496.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS SES High-Volume Email Sending Simulation
Expected signal: AWS CloudTrail: 10 events with EventName=SendEmail, EventSource=ses.amazonaws.com, originating from the caller IAM ARN and source IP. CloudWatch Metrics: SES NumberOfEmailsSent increments by 10. Sentinel AWSCloudTrail table: events appear within 5 minutes of AWS CloudTrail delivery delay.
- Test 2AWS SNS SMS Publishing Burst with Promotional Configuration
Expected signal: AWS CloudTrail: SetSMSAttributes event (RequestParameters shows DefaultSMSType=Promotional), CreateTopic event with TopicName=argus-t1496004-test, and 5 x Publish events, all from the same IAM ARN within a short time window. CloudWatch: SNS NumberOfMessagesSent and SMSMonthToDateSpentUSD metrics increment.
- Test 3AWS Bedrock LLM Invocation Burst (LLMJacking Simulation)
Expected signal: AWS CloudTrail: 15 x EventName=InvokeModel, EventSource=bedrock.amazonaws.com, with ModelId=amazon.titan-text-lite-v1 in RequestParameters, all from same IAM ARN and source IP. CloudWatch: Bedrock InvocationCount metric increments by 15. If Bedrock invocation logging is enabled, S3 or CloudWatch Logs capture input prompts and responses.
- Test 4SES Service Enablement Then Immediate Abuse Pattern
Expected signal: AWS CloudTrail: CreateEmailIdentity event followed within seconds by SendEmail event (possibly ErrorCode=MessageRejected if unverified), then GetEmailIdentity event — all from same IAM ARN and source IP within a 1-2 minute window. The sub-minute gap between CreateEmailIdentity and SendEmail is the key forensic indicator.
References (12)
- https://attack.mitre.org/techniques/T1496/004/
- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/
- https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/
- https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
- https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts
- https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html
- https://docs.aws.amazon.com/sns/latest/dg/sms_stats_cloudwatch.html
- https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html
- https://docs.microsoft.com/en-us/azure/sentinel/connect-aws-cloudtrail
- https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudTrail
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md
Unlock Pro Content
Get the full detection package for T1496.004 including response playbook, investigation guide, and atomic red team tests.