When adversaries route command-and-control through native AWS messaging — EventBridge buses, SNS topics, SQS queues — the traffic blends with legitimate application messaging and produces no external-network indicator. This article surfaces the four patterns and ships the detection logic.
External C2 is increasingly easy to detect: behavioural beacon analysis, JA3/JA4 fingerprinting, anomaly-based egress monitoring. Adversaries who have studied the defensive landscape have responded by moving their command-and-control inside the trusted boundary — using AWS-native messaging services as the channel. The implant publishes results to an SNS topic; the operator subscribes a Lambda function that processes the results. The traffic never crosses an external network boundary.
Part 5 of the AWS Threat Hunting series catalogues the four most-observed native-messaging C2 patterns and ships the detection logic that surfaces them.
HuntIntel ships continuously refreshed adversary cluster attribution and MITRE technique mappings — the data that turns a static hunt into a living one. Stop hunting yesterday’s IOCs. Hunt today’s techniques.
01 · Why this hunt matters
Native-messaging C2 is hard for traditional network monitoring because there is no external network traffic to monitor. The C2 channel is entirely inside AWS, often within a single VPC, sometimes within a single account. The traffic looks indistinguishable from legitimate event-driven application messaging until you correlate the producer identity with the consumer identity.
The detection opportunity is in the trust-graph asymmetry: legitimate AWS messaging follows known producer-consumer trust relationships; covert C2 introduces new trust relationships that were not previously present. The hunt patterns below surface those new relationships.
02 · Adversary tradecraft
Pattern 01 — Compromised Lambda publishing to attacker-controlled EventBridge bus
The compromised Lambda function uses the AWS SDK to publish events to a custom EventBridge bus. The attacker subscribes a rule to that bus and routes events to their controlled Lambda. The compromised function is the implant; the attacker’s Lambda is the operator interface.
Pattern 02 — SNS topic with external account subscription
The attacker who has compromised an identity with SNS administrative privileges adds a subscription to an existing topic that delivers to an HTTPS endpoint they control. Every event published to the topic by the legitimate application is also forwarded to the attacker.
Pattern 03 — SQS queue cross-account access
The attacker modifies a queue policy to grant SendMessage permission to an external account. The legitimate application continues to consume from the queue; the attacker injects messages that drive specific behaviour in the consumer.
Pattern 04 — EventBridge cross-account event bus
EventBridge supports cross-account event delivery. The attacker creates a rule that forwards events from a victim bus to a bus in their account. The original event flow continues normally; the attacker gains a copy of every event.
03 · Telemetry needed
- CloudTrail management events for EventBridge (PutRule, PutTargets, PutPermission), SNS (Subscribe, AddPermission), and SQS (SetQueueAttributes, AddPermission).
- CloudTrail data events for Lambda — function invocations and event source mappings.
- Account-relationship inventory — known partner accounts versus unknown.
Run this hunt against real adversary intelligence.
HuntIntel exposes every catalogued IOC with provenance, confidence, MITRE technique, and adversary cluster pre-mapped. Export Sigma in two clicks, push to your SIEM, ship coverage in minutes.
04 · Hunt queries
Hunt query 01 — External-account SNS subscription
SELECT eventTime, userIdentity.arn AS principal, sourceIPAddress,
requestParameters.topicArn AS topic,
requestParameters.endpoint AS subscription_endpoint,
requestParameters.protocol AS protocol
FROM cloudtrail_logs
WHERE eventName = 'Subscribe' AND eventSource = 'sns.amazonaws.com'
AND eventTime BETWEEN '2026-06-08' AND '2026-06-14'
AND requestParameters.protocol IN ('http', 'https')
AND requestParameters.endpoint NOT LIKE '%trusted-partner-domain-pattern%';
Hunt query 02 — EventBridge rule with external target
SELECT eventTime, userIdentity.arn AS principal,
requestParameters.rule AS rule_name,
requestParameters.targets AS targets
FROM cloudtrail_logs
WHERE eventName = 'PutTargets' AND eventSource = 'events.amazonaws.com'
AND eventTime BETWEEN '2026-06-08' AND '2026-06-14'
AND requestParameters.targets LIKE '%arn:aws:%::%'
AND requestParameters.targets NOT LIKE '%arn:aws:%:OUR_ACCOUNT_ID:%';
Hunt query 03 — SQS queue policy modification granting cross-account access
SELECT eventTime, userIdentity.arn AS principal,
requestParameters.queueUrl AS queue,
requestParameters.attributes.Policy AS new_policy
FROM cloudtrail_logs
WHERE eventName = 'SetQueueAttributes' AND eventSource = 'sqs.amazonaws.com'
AND eventTime BETWEEN '2026-06-08' AND '2026-06-14'
AND requestParameters.attributes.Policy LIKE '%Principal%'
AND requestParameters.attributes.Policy NOT LIKE '%OUR_ACCOUNT_ID%';
05 · Sigma rule
title: AWS EventBridge or SNS Cross-Account Target Configured
id: 9e6f7a88-ab1c-4d23-be2f-3a4b5c6d7e8f
status: experimental
description: |
Detects EventBridge rule target or SNS topic subscription pointing to
an external AWS account or HTTPS endpoint — surfaces native-messaging
C2 setup.
author: HackForLab
date: 2026/06/16
references:
- https://hackforlab.com/aws-eventbridge-sns-covert-c2-hunt-2026/
tags:
- attack.command_and_control
- attack.t1071
- attack.exfiltration
logsource:
product: aws
service: cloudtrail
detection:
selection_external_target:
eventName: 'PutTargets'
eventSource: 'events.amazonaws.com'
requestParameters.targets|contains|not: 'OUR_ACCOUNT_ID'
selection_external_subscription:
eventName: 'Subscribe'
eventSource: 'sns.amazonaws.com'
requestParameters.protocol:
- 'http'
- 'https'
condition: 1 of selection_*
fields:
- userIdentity.arn
- requestParameters
falsepositives:
- Approved cross-account event flows (allowlist by partner ARN)
level: high
06 · Ship as a production detection
Maintain a partner-account allowlist that is integrated with the rule. New cross-account event flows must come through a reviewed change; events without ticket linkage fire the rule. Map detections to T1071 (Application Layer Protocol) and T1567 (Exfiltration Over Web Service).
07 · False-positive considerations
Approved cross-account event flows are the only meaningful FP source. Mitigate by tight allowlist maintenance and integration with the change-management system.
08 · Response actions
Response: revoke the modification; identify and contain the compromised principal; audit messages forwarded since the change for sensitive content; review the partner-account relationship; rotate any credentials that may have been exposed through forwarded messages. — Sign in to huntintel.hackforlab.com to pull the live catalogue and pivot on the cluster directly.
09 · FAQ
Are these patterns common in the wild?
Yes — and increasingly so as defenders close down the older external C2 patterns.
Can we just block all cross-account messaging?
Only if no legitimate cross-account messaging exists in your environment, which is rare. The realistic mitigation is allowlist-plus-detection.
How do we audit existing cross-account messaging configurations?
Enumerate all event bus permissions, SNS topic subscriptions, and SQS queue policies that reference external accounts. Review each one for business justification.
Is this only an AWS concern?
The pattern generalises to other cloud providers’ native messaging services. The detection approach is the same — trust-graph anomaly detection.
How fast do these channels move data?
EventBridge can forward thousands of events per second. The exfiltration capacity is high; the visibility from external network monitoring is zero.
HuntIntel turns adversary intelligence into hunt-ready queries and production detection rules — without the spreadsheet engineering. Run the hunt. Ship the rule. Track the coverage.
AWS Hunt Library (hub) ·
Threat Hunting pillar ·
Cloud Threat Hunting ·
Detection Engineering ·
All Cyber Threat posts
