route tables may be created by a system or network administrators. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. route table creation by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule. automated processes that use terraform may lead to false positives.

aws
elastic

Techniques

Sample rules

AWS EC2 Route Table Created

source: elastic
technicques:

Description

Identifies when an EC2 Route Table has been created. Route tables can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "ec2.amazonaws.com" 
    and event.action:(
        "CreateRoute" or 
        "CreateRouteTable"
    ) 
    and event.outcome: "success"