route table could be modified or deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table being modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule. also automated processes that use terraform may lead to false positives.

aws
elastic

Techniques

Sample rules

AWS EC2 Route Table Modified or Deleted

source: elastic
technicques:

Description

Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by the aws.cloudtrail.user_identity.arn field in the last 10 days.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com"
    and event.action:(
        "ReplaceRoute" or
        "ReplaceRouteTableAssociation" or
        "DeleteRouteTable" or
        "DeleteRoute" or
        "DisassociateRouteTable"
    )
    and event.outcome: "success"
    and not source.address: (
        "cloudformation.amazonaws.com" or
        "servicecatalog.amazonaws.com" or
        "fsx.amazonaws.com"
    )