AWS EC2 Full Network Packet Capture Detected

  1[metadata]
  2creation_date = "2021/05/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/23"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Detects successful creation of an Amazon EC2 Traffic Mirroring session. A session copies full packets from a source
 11Elastic Network Interface (ENI) to a mirror target (e.g., an ENI or NLB) using a mirror filter (ingress/egress rules).
 12While used for diagnostics and NDR/IDS tooling, adversaries can abuse sessions to covertly capture and exfiltrate
 13sensitive, potentially unencrypted, traffic from instances or subnets.
 14"""
 15false_positives = [
 16    """
 17    Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent,
 18    and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts
 19    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS EC2 Full Network Packet Capture Detected"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating AWS EC2 Full Network Packet Capture Detected
 33
 34This alert fires on a successful `CreateTrafficMirrorSession`, which enables full-packet Traffic Mirroring from a
 35source ENI to a mirror target under a given filter. Because sessions immediately begin sending packets once active,
 36treat unexpected creations as high priority.
 37
 38#### Possible investigation steps
 39
 40**Identify the actor and execution context**
 41- **Principal**: Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and
 42  `aws.cloudtrail.user_identity.access_key_id` to determine who created the session (human IAM user vs. assumed role vs. automation).
 43- **Caller metadata**: Check `user_agent.original`, and `source.ip` for unusual tools, hosts, or locations.
 44- **Account/Region/Time**: Validate `cloud.account.id`, `cloud.region`, and `@timestamp` against change windows or tickets.
 45
 46**Extract the session details from the event**
 47- **Request parameters**: Parse `aws.cloudtrail.request_parameters` for:
 48  - `NetworkInterfaceId` (mirrored source ENI)  map to the EC2 instance and its business function.
 49  - `TrafficMirrorTargetId` identify where packets are being sent (ENI vs. NLB).
 50  - `TrafficMirrorFilterId` check which directions and protocols are allowed (ingress/egress, ports).
 51  - `SessionNumber`, `Description`, `TagSpecifications` look for operator tags or suspicious notes.
 52- **Response elements**: Use `aws.cloudtrail.response_elements` to confirm the created `TrafficMirrorSessionId` and
 53  any resolved resource ARNs/IDs.
 54
 55**Pivot for related API calls to validate scope and intent**
 56Look before and after this event (±30–60 minutes) by the same principal / access key / source IP for:
 57- **Target & Filter lifecycle**: `CreateTrafficMirrorTarget`, `CreateTrafficMirrorFilter`, `CreateTrafficMirrorFilterRule`,
 58  `ModifyTrafficMirrorSession|Filter|FilterRule`, and `Delete*` calls (rapid create-modify patterns can indicate staging).
 59- **Session management**: `DeleteTrafficMirrorSession` shortly after creation (test/probe), or repeated creations to different targets.
 60- **Discovery/positioning**: `DescribeNetworkInterfaces`, `DescribeInstances`, `DescribeVpcs/Subnets/RouteTables` around the same time.
 61- **Cross-account indicators**: creation of targets that forward to infrastructure not owned by your account (e.g., NLB in shared services).
 62- **Other suspicious changes**: IAM permission changes, new access keys, or S3/SNS setup that could support exfil/ops.
 63
 64**Validate the mirror destination and potential data exposure**
 65- If the target is an ENI: identify the owning instance/application; confirm it is an approved NDR/packet capture host.
 66- If the target is an NLB target: determine where the NLB sends traffic (could be a collection point in another VPC or account).
 67- Assess whether mirrored flows include plaintext protocols (internal HTTP, databases, LDAP, etc.) increasing sensitivity.
 68
 69### False positive analysis
 70
 71- **Authorized monitoring**: Approved NDR/IDS tooling or troubleshooting playbooks may legitimately create sessions.
 72- **Ops/diagnostics**: Short-lived sessions during incident handling or performance analysis.
 73- **Automation**: Infrastructure pipelines that stand up temporary mirroring for validation.
 74
 75### Response and remediation
 76
 77**1. Contain**
 78- If unauthorized, terminate the session immediately (use the `TrafficMirrorSessionId` from `aws.cloudtrail.response_elements`)
 79  and block creation permissions for the offending principal.
 80- Quarantine or restrict egress from the target if you suspect it is forwarding captured traffic outside approved destinations.
 81
 82**2. Investigate**
 83- Enumerate all active sessions in the affected account/region; verify there aren’t additional rogue sessions.
 84- Review related target and filter resources (and recent `Modify*` calls) to understand captured scope and recipients.
 85- Trace the source ENI back to the EC2 instance and validate whether sensitive workloads were mirrored.
 86
 87**3. Recover & harden**
 88- Remove or lock down unapproved targets/filters; enforce least privilege on `ec2:CreateTrafficMirrorSession/Target/Filter`.
 89- Consider SCPs or IAM conditions limiting who/where sessions can be created (e.g., only into designated monitoring VPCs).
 90- Ensure monitoring targets are controlled, logged, and not internet-reachable.
 91
 92**4. Improve**
 93- Add correlation logic to automatically surface CreateTrafficMirrorSession alongside Create/Modify Target/Filter calls by the same actor.
 94- Require tags on approved mirroring resources; alert on untagged/unticketed creations.
 95- Update playbooks to include a standard validation checklist (principal, source ENI, target, filter rules, destination path).
 96
 97"""
 98references = [
 99    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorSession.html",
100    "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/",
101]
102risk_score = 47
103rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
104severity = "medium"
105tags = [
106    "Domain: Cloud",
107    "Data Source: AWS",
108    "Data Source: Amazon Web Services",
109    "Data Source: AWS EC2",
110    "Use Case: Network Security Monitoring",
111    "Tactic: Exfiltration",
112    "Tactic: Collection",
113    "Resources: Investigation Guide",
114]
115timestamp_override = "event.ingested"
116type = "query"
117
118query = '''
119event.dataset: "aws.cloudtrail" and 
120    event.provider: "ec2.amazonaws.com" and
121    event.action: "CreateTrafficMirrorSession" and
122    event.outcome: "success"
123'''
124
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1020"
130name = "Automated Exfiltration"
131reference = "https://attack.mitre.org/techniques/T1020/"
132
133[[rule.threat.technique]]
134id = "T1537"
135name = "Transfer Data to Cloud Account"
136reference = "https://attack.mitre.org/techniques/T1537/"
137
138
139[rule.threat.tactic]
140id = "TA0010"
141name = "Exfiltration"
142reference = "https://attack.mitre.org/tactics/TA0010/"
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1074"
147name = "Data Staged"
148reference = "https://attack.mitre.org/techniques/T1074/"
149
150
151[rule.threat.tactic]
152id = "TA0009"
153name = "Collection"
154reference = "https://attack.mitre.org/tactics/TA0009/"
155[[rule.threat]]
156framework = "MITRE ATT&CK"
157[[rule.threat.technique]]
158id = "T1040"
159name = "Network Sniffing"
160reference = "https://attack.mitre.org/techniques/T1040/"
161
162
163[rule.threat.tactic]
164id = "TA0007"
165name = "Discovery"
166reference = "https://attack.mitre.org/tactics/TA0007/"
167
168[rule.investigation_fields]
169field_names = [
170    "@timestamp",
171    "user.name",
172    "user_agent.original",
173    "source.ip",
174    "aws.cloudtrail.user_identity.arn",
175    "aws.cloudtrail.user_identity.type",
176    "aws.cloudtrail.user_identity.access_key_id",
177    "target.entity.id",
178    "event.action",
179    "event.outcome",
180    "cloud.account.id",
181    "cloud.region",
182    "aws.cloudtrail.request_parameters",
183    "aws.cloudtrail.response_elements",
184]