DET0147 Detection Strategy for Cloud Service Hijacking via SaaS Abuse

Item	Value
ID	DET0147
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1496.004 (Cloud Service Hijacking)

Analytics

SaaS

AN0417

Adversary gains access to cloud-hosted services such as AWS SES, SNS, or OpenAI API, enables or modifies usage policies, and initiates resource-intensive actions (e.g., mass email/SMS or LLM queries), often from unauthorized regions or under anomalous identity conditions.

Log Sources

Data Component	Name	Channel
Cloud Service Modification (DC0069)	AWS:CloudTrail	PutIdentityPolicy
Application Log Content (DC0038)	AWS:CloudTrail	SendEmail
User Account Metadata (DC0013)	AWS:CloudTrail	AssumeRole

Mutable Elements

Field	Description
TimeWindow	Define threshold period over which request spikes are measured. E.g., 10 min or 1 hour windows.
UserContext	Alert only if role/user is outside expected automation identity list.
RequestVolumeThreshold	Customize the number of emails/SMS or API calls considered anomalous.
GeoVelocityThreshold	Tune geolocation jump logic (e.g., login from US, then use service in Asia within minutes).
ModelUsageQuotaSpike	Set maximum allowable deviation from past 7-day average OpenAI/GPT token usage.