{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-acl/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","network-acl","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis analytic identifies the deletion of AWS Network Access Control Lists (ACLs), a critical security control, using AWS CloudTrail logs. The detection focuses on \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e events, triggered when a user removes a network ACL entry. This is significant because deleting a network ACL can inadvertently or maliciously remove critical access restrictions, potentially opening cloud instances to unauthorized access. The targeted action allows attackers to bypass network security controls, potentially leading to data exfiltration or further compromise of the cloud environment. The detection leverages logs from AWS CloudTrail and requires the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, possibly through compromised credentials or exploiting a vulnerability in an application running on EC2.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Network ACLs to identify potential targets for modification or deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a Network ACL that, when removed or modified, would grant them broader access to resources within the VPC.\u003c/li\u003e\n\u003cli\u003eThe attacker uses AWS CLI or AWS Management Console to issue a \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e command, targeting the chosen ACL.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e event, capturing details such as the user identity, timestamp, and affected ACL.\u003c/li\u003e\n\u003cli\u003eThe targeted Network ACL entry is removed, altering the network access rules for the associated subnets.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the new network access to connect to previously restricted resources, such as databases or internal applications.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs other malicious activities, bypassing network-level security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of a network ACL entry can lead to unauthorized access to critical AWS resources, potentially affecting all instances within the affected subnets. The impact can range from data breaches and service disruption to full compromise of the cloud environment, and depends on the scope and importance of the now-exposed resources. This poses a significant threat to organizations utilizing AWS, potentially impacting confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Network ACL Entry Deletion\u003c/code\u003e to detect instances of ACL entry deletion based on \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e events in AWS CloudTrail.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eDeleteNetworkAclEntry\u003c/code\u003e events, paying close attention to the user identity (\u003ccode\u003euser\u003c/code\u003e), source IP (\u003ccode\u003esrc\u003c/code\u003e), and the specific ACL being modified.\u003c/li\u003e\n\u003cli\u003eEnable and review CloudTrail logs regularly to ensure proper coverage of AWS API activity, as indicated in the \u003ccode\u003edata_source\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of compromised credentials leading to unauthorized ACL modifications.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eaws_network_access_control_list_deleted_filter\u003c/code\u003e macro to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-aws-acl-delete/","summary":"Detection of AWS Network Access Control List (ACL) deletion via CloudTrail logs indicating potential unauthorized access or data exfiltration.","title":"AWS Network ACL Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-acl-delete/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["CloudTrail","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Amazon Security Lake","Splunk Add-on for Amazon Web Services"],"_cs_severities":["high"],"_cs_tags":["aws","network-acl","misconfiguration","cloud","security-group"],"_cs_type":"advisory","_cs_vendors":["Amazon","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying misconfigured AWS Network ACLs (NACLs) that permit unrestricted traffic. AWS NACLs act as a firewall for controlling traffic in and out of subnets within a Virtual Private Cloud (VPC). When an NACL is configured to allow all ports and protocols from any IP address (0.0.0.0/0), it effectively bypasses security controls and exposes resources to potential threats. The activity is detected by monitoring AWS CloudTrail events for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e API calls. This configuration error can be introduced by administrators during initial setup or through misconfiguration during updates. Defenders should ensure that NACLs follow the principle of least privilege to limit the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker scans for publicly accessible services or resources.\u003c/li\u003e\n\u003cli\u003eAn administrator, either maliciously or accidentally, creates or modifies a Network ACL using the AWS Management Console, CLI, or API with overly permissive rules (allowing all traffic: \u003ccode\u003eruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe misconfigured NACL is applied to one or more subnets within the VPC.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the open ports and protocols to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or disrupts services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA misconfigured Network ACL that allows all traffic can have severe consequences. It can lead to unauthorized access to sensitive data, potential data breaches, service disruption, and further compromise of the AWS environment. The impact is particularly high if critical resources are located within the affected subnets. This type of misconfiguration violates security best practices and compliance requirements.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Network ACL Created with All Ports Open\u003c/code\u003e to your SIEM to detect this specific misconfiguration (logsource: \u003ccode\u003eASL AWS CloudTrail\u003c/code\u003e, category: \u003ccode\u003enetwork_connection\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview existing Network ACL configurations to identify and remediate any overly permissive rules (check AWS console or use AWS CLI/API).\u003c/li\u003e\n\u003cli\u003eImplement automated checks to validate Network ACL configurations against security best practices.\u003c/li\u003e\n\u003cli\u003eEnsure that NACLs follow the principle of least privilege by only allowing necessary traffic (review NACL \u003ccode\u003eruleAction\u003c/code\u003e, \u003ccode\u003eegress\u003c/code\u003e, \u003ccode\u003eaclProtocol\u003c/code\u003e, and \u003ccode\u003ecidrBlock\u003c/code\u003e settings in CloudTrail logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of overly permissive NACL configurations to determine the root cause and potential impact (analyze CloudTrail logs for \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e events).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-aws-nacls-all-open/","summary":"The analytic detects the creation or replacement of AWS Network Access Control Lists (ACLs) with rules that allow all traffic from a specified CIDR block, potentially exposing the network to unauthorized access and increasing the risk of data breaches.","title":"AWS Network ACL Created with All Ports Open","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-nacls-all-open/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","AWS CloudTrail"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","network-acl","misconfiguration"],"_cs_type":"advisory","_cs_vendors":["Splunk","AWS"],"content_html":"\u003cp\u003eThis detection identifies the creation of overly permissive Network Access Control Lists (ACLs) within Amazon Web Services (AWS). Specifically, it focuses on \u003ccode\u003eCreateNetworkAclEntry\u003c/code\u003e or \u003ccode\u003eReplaceNetworkAclEntry\u003c/code\u003e CloudTrail events where rules are configured to allow all traffic (all ports open) to a defined CIDR block. Such configurations drastically reduce network security posture by potentially exposing critical services and data to unauthorized access. The timeframe of concern is ongoing as long as such misconfigurations exist. This matters to defenders because an attacker could leverage such an opening to pivot deeper into the AWS environment, leading to data exfiltration or service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account through compromised credentials or other means (e.g., exposed API keys).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or Management Console to create a new Network ACL or modify an existing one.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the ACL rule to allow all inbound traffic (0.0.0.0/0 for all IPv4 addresses) on all ports by setting \u003ccode\u003erequestParameters.ruleAction\u003c/code\u003e to \u0026ldquo;allow\u0026rdquo; and \u003ccode\u003erequestParameters.aclProtocol\u003c/code\u003e to \u0026ldquo;-1\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf not opening all ports the attacker creates ACL rule to allow all inbound traffic on ports with range larger than 1024 setting the \u003ccode\u003erequestParameters.ruleAction\u003c/code\u003e to \u0026ldquo;allow\u0026rdquo;, and \u003ccode\u003erequestParameters.portRange.to\u003c/code\u003e - \u003ccode\u003erequestParameters.portRange.from\u003c/code\u003e \u0026gt; 1024.\u003c/li\u003e\n\u003cli\u003eThe attacker associates the modified or newly created ACL with one or more subnets within the VPC.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to resources within the protected subnets using various protocols and ports to validate access.\u003c/li\u003e\n\u003cli\u003eUpon successful connection, the attacker can access and exfiltrate data, deploy malicious code, or disrupt services within the targeted subnets.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting an overly permissive Network ACL can lead to unrestricted access to systems and data within the affected AWS subnets. This could result in data breaches, service disruption, or the deployment of ransomware. The number of affected resources depends on the scope of the ACL and the number of subnets it protects. The impact can range from a single compromised EC2 instance to a complete compromise of the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Network ACL Created with All Open Ports\u003c/code\u003e to your SIEM and tune for your environment to detect the creation of overly permissive ACLs.\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all regions in your AWS account to ensure complete visibility into API activity (AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry).\u003c/li\u003e\n\u003cli\u003eImplement infrastructure-as-code (IaC) practices and automated validation to prevent the creation of overly permissive ACLs.\u003c/li\u003e\n\u003cli\u003eRegularly review existing Network ACLs to identify and remediate any overly permissive rules.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege when configuring Network ACLs, granting access only to the required ports and protocols.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-aws-open-acl/","summary":"The analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR by monitoring `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic, potentially leading to unauthorized network access.","title":"AWS Network Access Control List Created with All Open Ports","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-open-acl/"}],"language":"en","title":"CraftedSignal Threat Feed — Network-Acl","version":"https://jsonfeed.org/version/1.1"}