Techniques
Sample rules
AWS Network Access Control List Deleted
- source: splunk
- technicques:
- T1562.007
- T1562
Description
Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.
Detection logic
`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_network_access_control_list_deleted_filter`
Cloud Network Access Control List Deleted
- source: splunk
- technicques:
Description
Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it’s a duplicate
Detection logic
`cloudtrail` eventName=DeleteNetworkAcl
|rename userIdentity.arn as arn
| stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `cloud_network_access_control_list_deleted_filter`