AWS EC2 Network Access Control List Creation
The rule detects the creation of an AWS EC2 network access control list (ACL) or an entry in a network ACL with a specified rule number, which adversaries may exploit to establish persistence or defense evasion by creating permissive rules.
This detection rule identifies the creation of AWS EC2 network access control lists (ACLs) or entries within them. EC2 Network ACLs act as stateless firewalls, controlling inbound and outbound traffic at the subnet level. Attackers may create overly permissive rules in these ACLs to maintain persistence, bypass security controls, or potentially exfiltrate data. This activity is typically logged in AWS CloudTrail, providing a valuable data source for detection. The rule focuses on successful creation events of ACLs or their entries, aiming to identify unauthorized modifications indicative of persistence tactics or defense evasion. Monitoring these events helps in the early detection of malicious activities related to network access control misconfigurations.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials or exploiting a vulnerability in an application.
- The attacker leverages these credentials to interact with the AWS EC2 service via the AWS CLI or API.
- The attacker initiates the creation of a new Network ACL using the
CreateNetworkAclAPI call, or adds a new entry to an existing ACL using theCreateNetworkAclEntryAPI call. - The newly created ACL or entry is configured with overly permissive rules, such as allowing all inbound or outbound traffic on specific ports or from any IP address.
- The attacker modifies the subnet association to apply the malicious Network ACL to a specific subnet, granting broad network access.
- The permissive ACL rules enable the attacker to establish persistent access to resources within the subnet, bypass existing security controls, or facilitate data exfiltration.
- The attacker maintains persistence by ensuring the malicious ACL remains active and associated with the target subnet, granting continued unauthorized access.
Impact
Successful exploitation can lead to unauthorized access to resources within the AWS environment, allowing attackers to move laterally, exfiltrate sensitive data, or maintain a persistent foothold. While this rule is low severity, the impact can be significant depending on the scope and permissions granted by the new network ACL. A permissive network ACL can override security group rules, and potentially expose services to the internet.
Recommendation
- Deploy the Sigma rule to your SIEM and tune for your environment.
- Review AWS CloudTrail logs for
CreateNetworkAclandCreateNetworkAclEntryevents and investigate any unexpected activity from unfamiliar users. - Implement alerting on changes to Network ACLs to proactively identify potentially malicious activity.
- Enforce the principle of least privilege for IAM users and roles to minimize the risk of unauthorized changes to network configurations.
- Implement multi-factor authentication (MFA) to protect against compromised credentials.
- Regularly audit AWS IAM policies and permissions to identify and remediate overly permissive access.
Detection coverage 2
AWS EC2 Network ACL Creation
lowDetects the creation of an AWS EC2 Network ACL.
AWS EC2 Network ACL Entry Creation
lowDetects the creation of an AWS EC2 Network ACL Entry.
Detection queries are available on the platform. Get full rules →