<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Route-Table - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/route-table/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/route-table/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EC2 Route Table Modification or Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-ec2-route-table-modified/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-ec2-route-table-modified/</guid><description>An attacker modifies or deletes AWS EC2 route tables to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment.</description><content:encoded><![CDATA[<p>Attackers can manipulate AWS EC2 route tables to achieve various malicious objectives. Modifications or deletions of route tables and their associations, using actions like <code>ReplaceRoute</code>, <code>ReplaceRouteTableAssociation</code>, <code>DeleteRouteTable</code>, <code>DeleteRoute</code>, and <code>DisassociateRouteTable</code>, may indicate attempts to disrupt network traffic, reroute communications to attacker-controlled infrastructure, or establish persistence within the compromised AWS environment. This activity is often performed after initial access is gained through other means. Defenders should monitor these events closely for unexpected changes, particularly those originating from unfamiliar users or locations. While routine administration can trigger similar events, understanding the context and intent behind these actions is crucial to differentiating legitimate activity from malicious behavior.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to an AWS account, potentially through compromised credentials or by exploiting a vulnerability in an application running within the environment.</li>
<li>The attacker enumerates existing EC2 route tables to identify potential targets for manipulation using <code>ec2:DescribeRouteTables</code>.</li>
<li>The attacker uses <code>ec2:ReplaceRoute</code> to modify a route within a route table, redirecting traffic destined for a specific CIDR block to an attacker-controlled instance.</li>
<li>Alternatively, the attacker uses <code>ec2:ReplaceRouteTableAssociation</code> to associate a subnet with a malicious route table they control, effectively hijacking traffic from that subnet.</li>
<li>To remove evidence or prevent legitimate access, the attacker might use <code>ec2:DeleteRouteTable</code> to delete a critical route table.</li>
<li>The attacker can also use <code>ec2:DeleteRoute</code> to remove specific routes which may impede their lateral movement or persistence.</li>
<li>The attacker uses <code>ec2:DisassociateRouteTable</code> to break existing subnet associations, disrupting network connectivity.</li>
<li>The final objective could be data exfiltration, denial of service, or maintaining long-term access to the compromised environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification or deletion of EC2 route tables can lead to significant disruptions in network traffic, potentially causing downtime for critical applications and services. Attackers can reroute sensitive data through their own infrastructure, enabling data theft or manipulation. This activity impacts cloud infrastructure and can lead to a loss of confidentiality, integrity, and availability. The risk is elevated if critical infrastructure components are affected, requiring immediate incident response to mitigate the damage and restore normal operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail and monitor <code>ReplaceRoute</code>, <code>ReplaceRouteTableAssociation</code>, <code>DeleteRouteTable</code>, <code>DeleteRoute</code>, and <code>DisassociateRouteTable</code> events to detect suspicious route table modifications or deletions as described in the overview.</li>
<li>Deploy the Sigma rule &quot;AWS EC2 Route Table Modified or Deleted&quot; to your SIEM to detect unauthorized changes to route tables, ensuring to tune it for your specific environment.</li>
<li>Investigate the <code>aws.cloudtrail.user_identity.arn</code> field to determine the user or role initiating the action and validate their authorization to perform these operations, as described in the rule documentation.</li>
<li>Monitor the <code>source.ip</code> and <code>user_agent.original</code> fields in CloudTrail logs to identify unusual or suspicious sources of route table modifications as described in the investigation steps.</li>
<li>Implement the principle of least privilege by limiting route table modification permissions to specific trusted users, roles, or automation accounts and using IAM conditions, referencing the remediation steps from the provided documentation.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>aws</category><category>cloudtrail</category><category>ec2</category><category>route-table</category><category>persistence</category><category>defense-evasion</category></item></channel></rss>