administrators may legitimately add security group rules to allow traffic from any ip address or from specific ip addresses to common remote access ports.

t1562
aws
elastic

Techniques

T1562

Sample rules

Insecure AWS EC2 VPC Security Group Ingress Rule Added

source: elastic
technicques:
- T1562

Description

Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: ec2.amazonaws.com
    and event.action: AuthorizeSecurityGroupIngress
    and event.outcome: success
    and aws.cloudtrail.flattened.request_parameters.cidrIp: ("0.0.0.0/0" or "::/0")
    and aws.cloudtrail.flattened.request_parameters.fromPort: (
        21 or 22 or 23 or 445 or 3389 or 5985 or 5986)