Detect AWS Route Table Modification via CloudTrail

hello@craftedsignal.io — Fri, 01 Nov 2024 12:00:00 +0000

The addition of a new route to an AWS route table can be a sign of malicious activity, especially if the route redirects traffic to an unexpected or unauthorized destination. This activity is typically logged in AWS CloudTrail. Attackers might add routes to intercept network traffic, conduct man-in-the-middle attacks, or impair defenses by routing traffic away from security appliances. Understanding who is performing this action and the destination of the new route is critical for identifying potential threats within an AWS environment.

Attack Chain

An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or an exploited vulnerability.
The attacker uses the AWS CLI or the AWS Management Console to interact with the EC2 service.
The attacker identifies the target route table to modify.
The attacker executes the CreateRoute API call, specifying the destination CIDR block and target (e.g., an internet gateway, virtual private gateway, or network interface).
CloudTrail logs the CreateRoute event, capturing details of the action, including the user identity, source IP address, and the route table modification.
Network traffic matching the new route’s destination CIDR block is now redirected to the attacker-controlled target.
The attacker monitors and potentially modifies the redirected traffic for reconnaissance or data exfiltration purposes.

Impact

Successful modification of AWS route tables can lead to significant security breaches. An attacker could redirect critical network traffic to a malicious endpoint, enabling them to intercept sensitive data or disrupt services. This could lead to data breaches, financial loss, and reputational damage. The scope of the impact depends on the criticality of the redirected traffic and the attacker’s objectives.

Recommendation

Deploy the “Detect AWS Route Table Modification via CloudTrail” Sigma rule to your SIEM and tune for your environment to detect suspicious route creation events in AWS CloudTrail logs.
Investigate any CreateRoute events where the user identity is unexpected or the destination CIDR block and target are suspicious.
Monitor AWS CloudTrail logs for CreateRoute events and correlate them with other suspicious activities.
Implement strict IAM policies to limit who can modify route tables (reference the eventSource and eventName fields in the rule below).

New AWS Network ACL Entry Creation Detected

hello@craftedsignal.io — Sat, 26 Oct 2024 14:27:00 +0000

The creation of new Network Access Control List (ACL) entries in Amazon Web Services (AWS) environments can be a sign of malicious activity. While legitimate use cases exist, adversaries can leverage these ACL changes to impair existing defenses, create new pathways for lateral movement, or establish persistence mechanisms. This activity is logged by CloudTrail and can be monitored to identify unauthorized or suspicious modifications to network security configurations. Attackers could create overly permissive rules that allow unauthorized access to critical resources or restrictive rules that disrupt legitimate traffic. Monitoring the creation of Network ACL entries is important for maintaining the integrity and security of AWS environments.

Attack Chain

An attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.
The attacker identifies the existing Network ACLs within the target Virtual Private Cloud (VPC).
The attacker uses the AWS Management Console, CLI, or API to create a new Network ACL entry. The CreateNetworkAclEntry event is logged in CloudTrail.
The new ACL entry may be configured to allow specific inbound or outbound traffic that was previously blocked, effectively opening a new attack vector.
Alternatively, the new ACL entry may be configured to deny legitimate traffic, causing a denial-of-service condition for specific services or resources.
The attacker leverages the newly created ACL entry to move laterally within the AWS environment, accessing previously inaccessible resources.
The attacker performs malicious actions, such as data exfiltration or resource compromise, using the newly opened network pathways.

Impact

The creation of unauthorized Network ACL entries can have significant consequences. It can lead to the opening of new attack vectors, allowing unauthorized access to sensitive data and critical resources. In some scenarios, it can result in a denial-of-service condition, disrupting legitimate business operations. Depending on the scope of the compromised resources and data, the impact can range from minor inconvenience to significant financial loss and reputational damage. Early detection of this activity is crucial to mitigating potential risks.

Recommendation

Deploy the Sigma rule “New Network ACL Entry Added” to your SIEM to detect suspicious ACL modifications (logsource: aws, service: cloudtrail).
Investigate any CreateNetworkAclEntry events that deviate from established baseline configurations or involve unexpected source/destination IP ranges.
Review and audit existing Network ACL configurations regularly to identify and remediate any overly permissive or restrictive rules.
Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise and unauthorized access.
Monitor CloudTrail logs for other related events, such as DeleteNetworkAclEntry or ReplaceNetworkAclEntry, which may indicate further tampering with network security configurations.

AWS EC2 — CraftedSignal Threat Feed

Detect AWS Route Table Modification via CloudTrail

Attack Chain

Impact

Recommendation

New AWS Network ACL Entry Creation Detected

Attack Chain

Impact

Recommendation