Techniques
Sample rules
ASL AWS Network Access Control List Created with All Open Ports
- source: splunk
- technicques:
- T1562.007
- T1562
Description
The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for CreateNetworkAclEntry or ReplaceNetworkAclEntry actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.
Detection logic
`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.operation=ReplaceNetworkAclEntry status=Success
| spath input=api.request.data path=ruleAction output=ruleAction
| spath input=api.request.data path=egress output=egress
| spath input=api.request.data path=aclProtocol output=aclProtocol
| spath input=api.request.data path=cidrBlock output=cidrBlock
| spath input=api.request.data path=networkAclId output=networkAclId
| search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId
| rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_network_access_control_list_created_with_all_open_ports_filter`
AWS Network Access Control List Created with All Open Ports
- source: splunk
- technicques:
- T1562.007
- T1562
Description
The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for CreateNetworkAclEntry or ReplaceNetworkAclEntry actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.
Detection logic
`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1
| append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1
| eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from'
| where port_range>1024]
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_network_access_control_list_created_with_all_open_ports_filter`