AWS EC2 Route Table Created
Identifies when an EC2 Route Table has been created. Route tables can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/05"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/09/04"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = """
10Identifies when an EC2 Route Table has been created. Route tables can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.
11"""
12false_positives = [
13 """
14 Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent,
15 and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts
16 should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated
17 processes that use Terraform may lead to false positives.
18 """,
19]
20from = "now-6m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS EC2 Route Table Created"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating AWS EC2 Route Table Created
31
32AWS Route Tables are crucial components in managing network traffic within AWS environments, directing data between subnets and internet gateways. Adversaries may exploit route tables to reroute traffic for data exfiltration or to establish persistence by creating unauthorized routes. The detection rule monitors successful creation events of route tables, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized network configuration changes.
33
34### Possible investigation steps
35
36- Investigate the AWS account and IAM user or role to determine if the action aligns with expected behavior and permissions.
37- Examine the newly created route table's configuration to identify any unauthorized or suspicious routes that could indicate potential misuse or data exfiltration attempts.
38- Correlate the event with other network security monitoring data to identify any unusual traffic patterns or anomalies that coincide with the route table creation.
39- Assess the environment for any recent changes or incidents that might explain the creation of the route table, such as new deployments or infrastructure modifications.
40
41### False positive analysis
42
43- Routine infrastructure updates or deployments may trigger route table creation events. To manage this, establish a baseline of expected behavior during scheduled maintenance windows and exclude these from alerts.
44- Automated cloud management tools often create route tables as part of their operations. Identify these tools and create exceptions for their known activities to reduce noise.
45- Development and testing environments frequently undergo changes, including the creation of route tables. Consider excluding these environments from alerts or applying a different set of monitoring rules.
46- Legitimate changes by authorized personnel can be mistaken for suspicious activity. Implement a process to verify and document authorized changes, allowing for quick exclusion of these events from alerts.
47- Multi-account AWS setups might have centralized networking teams that create route tables across accounts. Coordinate with these teams to understand their activities and exclude them from triggering alerts.
48
49### Response and remediation
50
51- If unauthorized, remove permissions for related actions from the user or role. You can use the managed [AWSDenyAll](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDenyAll.html) policy.
52- Review the newly created route table and any associated routes to identify unauthorized entries. Remove any routes that are not part of the expected network configuration.
53- Conduct a thorough audit of IAM roles and permissions to ensure that only authorized users have the ability to create or modify route tables. Revoke any excessive permissions identified.
54- Implement network monitoring to detect unusual traffic patterns that may indicate data exfiltration or other malicious activities.
55- Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources have been compromised.
56- Review AWS CloudTrail logs for any other suspicious activities around the time of the route table creation to identify potential indicators of compromise.
57- Update security policies and procedures to include specific guidelines for monitoring and responding to unauthorized route table modifications, ensuring rapid detection and response in the future.
58
59## Setup
60
61The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
62references = [
63 "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
64 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html",
65 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable",
66]
67risk_score = 21
68rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca"
69severity = "low"
70tags = [
71 "Domain: Cloud",
72 "Data Source: AWS",
73 "Data Source: Amazon Web Services",
74 "Data Source: AWS EC2",
75 "Use Case: Network Security Monitoring",
76 "Tactic: Persistence",
77 "Resources: Investigation Guide",
78]
79timestamp_override = "event.ingested"
80type = "new_terms"
81
82query = '''
83event.dataset: "aws.cloudtrail"
84 and event.provider: "ec2.amazonaws.com"
85 and event.action:(
86 "CreateRoute" or
87 "CreateRouteTable"
88 )
89 and event.outcome: "success"
90'''
91
92[rule.investigation_fields]
93field_names = [
94 "@timestamp",
95 "user.name",
96 "user_agent.original",
97 "source.ip",
98 "aws.cloudtrail.user_identity.arn",
99 "aws.cloudtrail.user_identity.type",
100 "aws.cloudtrail.user_identity.access_key_id",
101 "event.action",
102 "event.outcome",
103 "cloud.account.id",
104 "cloud.region",
105 "aws.cloudtrail.request_parameters",
106 "aws.cloudtrail.response_elements"
107]
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111
112[rule.threat.tactic]
113id = "TA0003"
114name = "Persistence"
115reference = "https://attack.mitre.org/tactics/TA0003/"
116
117[rule.new_terms]
118field = "new_terms_fields"
119value = ["cloud.account.id", "user.name"]
120[[rule.new_terms.history_window_start]]
121field = "history_window_start"
122value = "now-10d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS EC2 Route Table Created
AWS Route Tables are crucial components in managing network traffic within AWS environments, directing data between subnets and internet gateways. Adversaries may exploit route tables to reroute traffic for data exfiltration or to establish persistence by creating unauthorized routes. The detection rule monitors successful creation events of route tables, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized network configuration changes.
Possible investigation steps
- Investigate the AWS account and IAM user or role to determine if the action aligns with expected behavior and permissions.
- Examine the newly created route table's configuration to identify any unauthorized or suspicious routes that could indicate potential misuse or data exfiltration attempts.
- Correlate the event with other network security monitoring data to identify any unusual traffic patterns or anomalies that coincide with the route table creation.
- Assess the environment for any recent changes or incidents that might explain the creation of the route table, such as new deployments or infrastructure modifications.
False positive analysis
- Routine infrastructure updates or deployments may trigger route table creation events. To manage this, establish a baseline of expected behavior during scheduled maintenance windows and exclude these from alerts.
- Automated cloud management tools often create route tables as part of their operations. Identify these tools and create exceptions for their known activities to reduce noise.
- Development and testing environments frequently undergo changes, including the creation of route tables. Consider excluding these environments from alerts or applying a different set of monitoring rules.
- Legitimate changes by authorized personnel can be mistaken for suspicious activity. Implement a process to verify and document authorized changes, allowing for quick exclusion of these events from alerts.
- Multi-account AWS setups might have centralized networking teams that create route tables across accounts. Coordinate with these teams to understand their activities and exclude them from triggering alerts.
Response and remediation
- If unauthorized, remove permissions for related actions from the user or role. You can use the managed AWSDenyAll policy.
- Review the newly created route table and any associated routes to identify unauthorized entries. Remove any routes that are not part of the expected network configuration.
- Conduct a thorough audit of IAM roles and permissions to ensure that only authorized users have the ability to create or modify route tables. Revoke any excessive permissions identified.
- Implement network monitoring to detect unusual traffic patterns that may indicate data exfiltration or other malicious activities.
- Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources have been compromised.
- Review AWS CloudTrail logs for any other suspicious activities around the time of the route table creation to identify potential indicators of compromise.
- Update security policies and procedures to include specific guidelines for monitoring and responding to unauthorized route table modifications, ensuring rapid detection and response in the future.
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS EC2 Route Table Modified or Deleted
- AWS EC2 Security Group Configuration Change
- AWS EC2 Network Access Control List Creation
- AWS EC2 Network Access Control List Deletion
- AWS IAM Create User via Assumed Role on EC2 Instance