Skip to content
Threat Feed
low advisory

AWS EC2 Route Table Created for Persistence or Defense Evasion

An EC2 Route Table creation event in AWS can indicate an attacker attempting to disrupt network traffic, reroute communications, or maintain persistence by creating unauthorized routes.

This detection rule identifies when an EC2 Route Table has been created in an AWS environment. Attackers can abuse route tables to disrupt network traffic flow, reroute communications for data exfiltration, or establish persistence within a compromised AWS account. This rule leverages AWS CloudTrail logs to detect the initial creation of a route table by a specific user or role, flagging potential unauthorized network configuration changes. The rule focuses on CreateRoute and CreateRouteTable events logged by the ec2.amazonaws.com provider. The rule is based on the Elastic detection rule released on 2021/06/05 and updated on 2026/04/10. It aims to detect novel route table creation events based on the AWS account ID and username.

Attack Chain

  1. An attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured IAM role.
  2. The attacker attempts to enumerate existing network infrastructure, including VPCs, subnets, and route tables, to identify potential targets for manipulation.
  3. The attacker uses the AWS EC2 API to create a new route table within a targeted VPC, effectively creating a new path for network traffic.
  4. The attacker configures the newly created route table with specific routes, potentially directing traffic to attacker-controlled infrastructure or intercepting sensitive data. This involves creating routes using the CreateRoute API.
  5. The attacker associates the new route table with one or more subnets, redirecting network traffic from those subnets through the malicious route table.
  6. The attacker monitors network traffic flowing through the manipulated route table, capturing sensitive data or injecting malicious content.
  7. The attacker leverages the altered network configuration to maintain persistent access to the AWS environment, even if initial access methods are detected and remediated.

Impact

Successful exploitation can allow attackers to intercept and exfiltrate sensitive data traversing the AWS network, disrupt critical services by rerouting traffic, and maintain persistent access to the compromised environment, even after initial intrusion vectors are closed. The impact is generally contained to the AWS environment but could have downstream effects if that environment connects to on-premise or other cloud environments.

Recommendation

  • Deploy the Sigma rule "AWS EC2 Route Table Created" to your SIEM and tune for your environment to detect potentially malicious route table creation events.
  • Investigate any alerts generated by the Sigma rule by examining the AWS account, IAM user/role, and the configuration of the newly created route table.
  • Implement continuous monitoring of AWS CloudTrail logs to ensure comprehensive visibility into AWS API activity.
  • Review IAM roles and permissions to adhere to the principle of least privilege, limiting the ability of users and roles to create or modify route tables.
  • If unauthorized, remove permissions for related actions from the user or role. You can use the managed AWSDenyAll policy.

Detection coverage 2

AWS EC2 Route Table Created

low

Detects creation of AWS EC2 route tables, which can be used for malicious purposes.

sigma tactics: defense_evasion, persistence techniques: T1578.005 sources: cloudtrail, aws, cloudtrail

AWS EC2 Route Created

low

Detects creation of AWS EC2 routes, which can be used for malicious purposes.

sigma tactics: defense_evasion, persistence techniques: T1578.005 sources: cloudtrail, aws, cloudtrail

Detection queries are available on the platform. Get full rules →