Techniques
Sample rules
Cloud Network Access Control List Deleted
- source: splunk
- technicques:
Description
Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it’s a duplicate
Detection logic
`cloudtrail` eventName=DeleteNetworkAcl
|rename userIdentity.arn as arn
| stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `cloud_network_access_control_list_deleted_filter`
ASL AWS Network Access Control List Deleted
- source: splunk
- technicques:
- T1562.007
- T1562
Description
The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.
Detection logic
`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Success
| spath input=api.request.data path=egress output=egress
| spath input=api.request.data path=networkAclId output=networkAclId
| search egress=false
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_network_access_control_list_deleted_filter`
AWS Network Access Control List Deleted
- source: splunk
- technicques:
- T1562.007
- T1562
Description
The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.
Detection logic
`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_network_access_control_list_deleted_filter`