LoFP LoFP / it's possible that an admin has created this acl with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.

Techniques

Sample rules

ASL AWS Network Access Control List Created with All Open Ports

Description

The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for CreateNetworkAclEntry or ReplaceNetworkAclEntry actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.

Detection logic

`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.operation=ReplaceNetworkAclEntry status=Success 
| spath input=api.request.data path=ruleAction output=ruleAction 
| spath input=api.request.data path=egress output=egress 
| spath input=api.request.data path=aclProtocol output=aclProtocol 
| spath input=api.request.data path=cidrBlock output=cidrBlock 
| spath input=api.request.data path=networkAclId output=networkAclId 
| search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId cidrBlock 
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `asl_aws_network_access_control_list_created_with_all_open_ports_filter`

AWS Network Access Control List Created with All Open Ports

Description

The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for CreateNetworkAclEntry or ReplaceNetworkAclEntry actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.

Detection logic

`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 
| append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 
| eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' 
| where port_range>1024] 
| fillnull 
| rename user_name as user 
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from requestParameters.cidrBlock 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_network_access_control_list_created_with_all_open_ports_filter`