AWS EC2 Route Table Modified or Deleted

  1[metadata]
  2creation_date = "2021/06/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/02/03"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or
 11association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain
 12persistence in a compromised environment. This is a [New
 13Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the
 14first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 10 days.
 15"""
 16false_positives = [
 17    """
 18    Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
 19    and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
 20    should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
 21    automated processes that use Terraform may lead to false positives.
 22    """,
 23]
 24from = "now-9m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS EC2 Route Table Modified or Deleted"
 29note = """
 30## Triage and Analysis
 31
 32### Investigating AWS EC2 Route Table Modified or Deleted
 33
 34This rule detects modifications or deletions of AWS route tables using actions such as `ReplaceRoute`, `ReplaceRouteTableAssociation`, `DeleteRouteTable`, `DeleteRoute`, or `DisassociateRouteTable`. These actions may indicate legitimate administrative activity, but they can also be abused by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment.
 35
 36#### Possible Investigation Steps
 37
 38- **Review Request Parameters:**
 39   - Check the `aws.cloudtrail.flattened.request_parameters` field. The sub-fields may vary depending on the `event.action` (e.g., `routeTableId` for `DeleteRouteTable`, `destinationCidrBlock` for `ReplaceRoute`).
 40   - Validate the affected route table, routes, or associations based on the API call:
 41     - For `ReplaceRoute`: Look for changes in specific routes using `destinationCidrBlock`.
 42     - For `ReplaceRouteTableAssociation`: Review the new association details (e.g., subnet ID).
 43     - For `DeleteRouteTable`: Confirm the `routeTableId` of the deleted table.
 44     - For `DisassociateRouteTable`: Verify the disassociated resources.
 45
 46- **Review User Context**:
 47  - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role initiating the action. Investigate whether this user is authorized to perform these operations.
 48  - **Access Key ID**: Check the `aws.cloudtrail.user_identity.access_key_id` field to identify if the access key used was expected or potentially compromised.
 49  - **Access Patterns**: Validate whether the user or role has a history of performing route table modifications and whether this aligns with their expected responsibilities.
 50
 51- **Analyze Request Details**:
 52  - **Action Type**: Verify the specific API call in the `event.action` field (e.g., `ReplaceRoute`, `DeleteRouteTable`) to understand the nature of the modification.
 53  - **Source IP and Geolocation**: Examine the `source.address` and `source.geo` fields to confirm whether the request originated from a trusted location. Suspicious geolocations or IPs may indicate adversarial activity.
 54  - **User Agent**: Review the `user_agent.original` field to determine the tool used for the request (e.g., AWS CLI, Terraform). Unusual or custom user agents may indicate malicious intent.
 55
 56- **Correlate with Other Activity**:
 57  - **Concurrent API Calls**: Look for related API calls (e.g., `CreateRoute`, `AuthorizeSecurityGroupIngress`, or `ModifyInstanceAttribute`) from the same user or IP to detect broader attack patterns.
 58  - **IAM Changes**: Investigate whether any IAM policy updates or privilege escalation attempts preceded this activity.
 59  - **Unusual Volume of Changes**: Check if the user has performed multiple route table modifications or deletions in a short timeframe.
 60
 61- **Validate the Intent**:
 62  - **Planned Changes**: Confirm with administrators whether the route table changes were part of a planned update or maintenance activity.
 63  - **Permissions and Justification**: Ensure that the user or role has the least privilege necessary for these actions and that there is a valid reason for modifying the route table.
 64
 65### False Positive Analysis
 66
 67- **Routine Administration**: Route table modifications are often part of routine administrative tasks, such as creating new routes, updating associations, or removing unused resources.
 68- **Automation Tools**: Automated workflows, such as those executed by Terraform or CloudFormation, may trigger these events. Verify whether the `user_agent.original` field or source IP matches known automation tools.
 69- **Maintenance or Scaling**: Confirm whether these actions align with maintenance activities or scaling events (e.g., adding or removing subnets).
 70
 71### Response and Remediation
 72
 73- **Revoke Unauthorized Permissions**: If unauthorized, remove permissions for `ec2:ReplaceRoute`, `ec2:DeleteRouteTable`, or other related actions from the user or role.
 74- **Restore the Route Table**:
 75  - If critical networking was impacted, restore the route table or reapply previous configurations from backups or Terraform state files.
 76  - Verify connectivity to affected subnets or instances to ensure no disruptions to services.
 77- **Audit IAM Policies**:
 78  - Limit route table modification permissions to specific trusted users, roles, or automation accounts.
 79  - Implement conditions in IAM policies, such as source IP restrictions, to reduce the risk of unauthorized access.
 80- **Monitor and Alert**:
 81  - Set up additional alerts for unexpected route table modifications or deletions.
 82  - Use VPC flow logs and CloudTrail to monitor for related suspicious activity.
 83- **Secure Automation**: Ensure automation tools, such as Terraform or CloudFormation, are configured securely and that their credentials are stored in secure locations like AWS Secrets Manager.
 84"""
 85references = [
 86    "https://github.com/easttimor/aws-incident-response#network-routing",
 87    "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
 88    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
 89    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
 90    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
 91    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
 92    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
 93]
 94risk_score = 21
 95rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
 96severity = "low"
 97tags = [
 98    "Domain: Cloud",
 99    "Data Source: AWS",
100    "Data Source: Amazon Web Services",
101    "Data Source: AWS EC2",
102    "Use Case: Network Security Monitoring",
103    "Resources: Investigation Guide",
104    "Tactic: Persistence",
105]
106timestamp_override = "event.ingested"
107type = "new_terms"
108
109query = '''
110event.dataset: "aws.cloudtrail"
111    and event.provider: "ec2.amazonaws.com"
112    and event.action:(
113        "ReplaceRoute" or
114        "ReplaceRouteTableAssociation" or
115        "DeleteRouteTable" or
116        "DeleteRoute" or
117        "DisassociateRouteTable"
118    )
119    and event.outcome: "success"
120    and not source.address: (
121        "cloudformation.amazonaws.com" or
122        "servicecatalog.amazonaws.com" or
123        "fsx.amazonaws.com"
124    )
125'''
126
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130
131[rule.threat.tactic]
132id = "TA0003"
133name = "Persistence"
134reference = "https://attack.mitre.org/tactics/TA0003/"
135
136[rule.new_terms]
137field = "new_terms_fields"
138value = ["aws.cloudtrail.user_identity.arn"]
139[[rule.new_terms.history_window_start]]
140field = "history_window_start"
141value = "now-10d"