<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Security_group - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/security_group/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/security_group/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unusual Cloud Security Group Modifications by User</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cloud-security-group-modifications/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cloud-security-group-modifications/</guid><description>This analytic identifies unusual modifications to cloud security groups by users, such as modifications, deletions, or creations, analyzed over 30-minute intervals, potentially indicating compromised accounts or insider threats leading to resource exposure or service disruption.</description><content:encoded><![CDATA[<p>This detection identifies anomalous modifications to cloud security groups by users within a 30-minute timeframe. It focuses on actions such as modifications, deletions, and creations of security groups, analyzing cloud infrastructure logs to detect deviations from normal behavior. The analytic calculates the standard deviation of security group changes per user, employing a 3-sigma rule to identify outliers. This activity is significant because unauthorized or malicious alterations to security groups can expose sensitive resources or disrupt critical services. The original Splunk ES content was published in 2026-04-17T11:58:53Z. This may indicate a compromised account, insider threat, or privilege escalation attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a cloud environment through compromised credentials or an insider threat (T1578.005).</li>
<li>The attacker enumerates existing cloud security groups to identify potential targets for modification.</li>
<li>The attacker modifies security group rules to allow unauthorized access to internal resources or services.</li>
<li>The attacker creates new security groups with overly permissive rules, bypassing existing security controls.</li>
<li>The attacker deletes existing security groups, disrupting network segmentation and potentially causing service outages.</li>
<li>These actions are performed repeatedly within a short time frame (30 minutes), significantly deviating from the user's baseline activity.</li>
<li>The attacker exploits the newly opened access to exfiltrate sensitive data or deploy malicious workloads.</li>
<li>The ultimate objective is to compromise sensitive resources, disrupt services, or establish a persistent foothold within the cloud environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive data, disruption of critical services, and potential financial losses. A single compromised account can lead to the modification of numerous security groups, impacting multiple applications and services. The impact can range from data breaches and compliance violations to complete service outages. Depending on the scope of the compromised security groups, the blast radius can extend across the entire cloud infrastructure, affecting potentially thousands of users and applications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure proper ingestion of AWS CloudTrail, GCP Pubsub Message logs, and Azure Audit logs into a data model like the Change datamodel referenced in the search query.</li>
<li>Deploy the Sigma rule <code>Cloud Security Group Modifications by User</code> to your SIEM to detect anomalous security group modifications (logsource: AWS CloudTrail).</li>
<li>Tune the threshold and time window of the Sigma rule based on your environment's baseline activity to reduce false positives. Consider adjusting the <code>upperBound</code> calculation in the search query.</li>
<li>Investigate any alerts generated by the Sigma rule to determine if the modifications are legitimate or malicious. Prioritize alerts triggered by users with no history of security group administration.</li>
<li>Implement multi-factor authentication (MFA) for all user accounts to mitigate the risk of compromised credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>security_group</category><category>anomaly</category><category>aws</category></item></channel></rss>