it's possible that an admin has created this acl with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.

Techniques

Sample rules

AWS Network Access Control List Created with All Open Ports

source: splunk
technicques:
- T1562.007
- T1562

Description

The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.

Detection logic

`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 
| append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 
| eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' 
| where port_range>1024] 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_network_access_control_list_created_with_all_open_ports_filter`