AWS EC2 Route Table Modification or Deletion
An attacker modifies or deletes AWS EC2 route tables to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment.
Attackers can manipulate AWS EC2 route tables to achieve various malicious objectives. Modifications or deletions of route tables and their associations, using actions like ReplaceRoute, ReplaceRouteTableAssociation, DeleteRouteTable, DeleteRoute, and DisassociateRouteTable, may indicate attempts to disrupt network traffic, reroute communications to attacker-controlled infrastructure, or establish persistence within the compromised AWS environment. This activity is often performed after initial access is gained through other means. Defenders should monitor these events closely for unexpected changes, particularly those originating from unfamiliar users or locations. While routine administration can trigger similar events, understanding the context and intent behind these actions is crucial to differentiating legitimate activity from malicious behavior.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials or by exploiting a vulnerability in an application running within the environment.
- The attacker enumerates existing EC2 route tables to identify potential targets for manipulation using
ec2:DescribeRouteTables. - The attacker uses
ec2:ReplaceRouteto modify a route within a route table, redirecting traffic destined for a specific CIDR block to an attacker-controlled instance. - Alternatively, the attacker uses
ec2:ReplaceRouteTableAssociationto associate a subnet with a malicious route table they control, effectively hijacking traffic from that subnet. - To remove evidence or prevent legitimate access, the attacker might use
ec2:DeleteRouteTableto delete a critical route table. - The attacker can also use
ec2:DeleteRouteto remove specific routes which may impede their lateral movement or persistence. - The attacker uses
ec2:DisassociateRouteTableto break existing subnet associations, disrupting network connectivity. - The final objective could be data exfiltration, denial of service, or maintaining long-term access to the compromised environment.
Impact
Successful modification or deletion of EC2 route tables can lead to significant disruptions in network traffic, potentially causing downtime for critical applications and services. Attackers can reroute sensitive data through their own infrastructure, enabling data theft or manipulation. This activity impacts cloud infrastructure and can lead to a loss of confidentiality, integrity, and availability. The risk is elevated if critical infrastructure components are affected, requiring immediate incident response to mitigate the damage and restore normal operations.
Recommendation
- Enable AWS CloudTrail and monitor
ReplaceRoute,ReplaceRouteTableAssociation,DeleteRouteTable,DeleteRoute, andDisassociateRouteTableevents to detect suspicious route table modifications or deletions as described in the overview. - Deploy the Sigma rule "AWS EC2 Route Table Modified or Deleted" to your SIEM to detect unauthorized changes to route tables, ensuring to tune it for your specific environment.
- Investigate the
aws.cloudtrail.user_identity.arnfield to determine the user or role initiating the action and validate their authorization to perform these operations, as described in the rule documentation. - Monitor the
source.ipanduser_agent.originalfields in CloudTrail logs to identify unusual or suspicious sources of route table modifications as described in the investigation steps. - Implement the principle of least privilege by limiting route table modification permissions to specific trusted users, roles, or automation accounts and using IAM conditions, referencing the remediation steps from the provided documentation.
Detection coverage 2
AWS EC2 Route Table Modified or Deleted
lowDetects AWS CloudTrail events where an EC2 route table or association has been modified or deleted.
AWS EC2 Route Table Modification by Unusual User Agent
mediumDetects AWS CloudTrail events where an EC2 route table is modified by an unusual user agent, potentially indicating malicious activity.
Detection queries are available on the platform. Get full rules →