AWS - SES Post Exploitation

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

SES

For more information check:

AWS - SES Enum

ses:SendEmail

Send an email.

aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json
aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json

Still to test.

ses:SendRawEmail

Send an email.

aws ses send-raw-email --raw-message file://message.json

Still to test.

ses:SendTemplatedEmail

Send an email based on a template.

aws ses  send-templated-email --source <value> --destination <value> --template <value>

Still to test.

ses:SendBulkTemplatedEmail

Send an email to multiple destinations

aws ses send-bulk-templated-email --source <value> --template <value>

Still to test.

ses:SendBulkEmail

Send an email to multiple destinations.

aws sesv2 send-bulk-email --default-content <value> --bulk-email-entries <value>

ses:SendBounce

Send a bounce email over a received email (indicating that the email couldn’t be received). This can only be done up to 24h after receiving the email.

aws ses send-bounce --original-message-id <value> --bounce-sender <value> --bounced-recipient-info-list <value>

Still to test.

ses:SendCustomVerificationEmail

This will send a customized verification email. You might need permissions also to created the template email.

aws ses send-custom-verification-email --email-address <value> --template-name <value>
aws sesv2 send-custom-verification-email --email-address <value> --template-name <value>

Still to test.

WorkMail pivot to bypass SES sandbox

When ses:GetAccount shows the account is still in the SES sandbox and ses:ListIdentities returns no verified senders, attackers can pivot to WorkMail to send immediately (no sandbox and higher default quotas) by creating orgs, verifying domains, and registering mailboxes.

Readme

References

• Threat Actors Using AWS WorkMail in Phishing Campaigns

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.