AWS Route Table Modified or Deleted
Identifies when an AWS Route Table has been modified or deleted.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/05"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = "Identifies when an AWS Route Table has been modified or deleted."
10false_positives = [
11 """
12 Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
13 and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
14 should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
15 automated processes that use Terraform may lead to false positives.
16 """,
17]
18from = "now-60m"
19index = ["filebeat-*", "logs-aws.cloudtrail-*"]
20interval = "10m"
21language = "kuery"
22license = "Elastic License v2"
23name = "AWS Route Table Modified or Deleted"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating AWS Route Table Modified or Deleted
30
31AWS Route Tables are crucial for directing network traffic within a VPC. Adversaries may exploit these by altering or deleting routes to disrupt services or reroute traffic for data exfiltration. The detection rule monitors AWS CloudTrail logs for specific actions like route replacement or deletion, signaling potential unauthorized modifications that could indicate malicious activity.
32
33### Possible investigation steps
34
35- Review the AWS CloudTrail logs to identify the specific user or role associated with the event.provider:ec2.amazonaws.com actions such as ReplaceRoute, ReplaceRouteTableAssociation, DeleteRouteTable, DeleteRoute, or DisassociateRouteTable.
36- Check the event.time field in the CloudTrail logs to determine the exact time of the modification or deletion and correlate it with any other suspicious activities or alerts around the same timeframe.
37- Investigate the source IP address and location from which the changes were made to assess if they align with expected administrative access patterns.
38- Examine the AWS IAM policies and permissions associated with the user or role to determine if they have legitimate access to modify or delete route tables.
39- Review recent changes in the AWS environment, such as new deployments or updates, to understand if the route table modifications were part of planned activities.
40- Contact the user or team responsible for the changes to verify if the actions were authorized and intended as part of routine operations.
41
42### False positive analysis
43
44- Routine infrastructure updates or maintenance activities by authorized personnel can trigger alerts. To manage this, create exceptions for known maintenance windows or specific user accounts that regularly perform these tasks.
45- Automated scripts or tools used for infrastructure management might modify route tables as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user agent strings or IAM roles.
46- Changes made by cloud service providers during updates or optimizations can also appear as modifications. Monitor communications from AWS for scheduled changes and temporarily adjust detection rules to accommodate these events.
47- Development and testing environments often undergo frequent changes that are non-threatening. Consider excluding these environments from the rule or applying a different risk threshold to reduce noise.
48- Multi-account setups where centralized management tools modify route tables across accounts can lead to false positives. Implement account-specific exclusions or adjust the rule to recognize these centralized actions.
49
50### Response and remediation
51
52- Immediately isolate the affected VPC to prevent further unauthorized access or data exfiltration. This can be done by temporarily modifying security group rules to restrict inbound and outbound traffic.
53- Review the AWS CloudTrail logs to identify the source of the unauthorized modifications. Focus on the user identity, IP address, and time of the event to understand the scope and origin of the threat.
54- Revert any unauthorized changes to the route tables by restoring them to their last known good configuration. This may involve manually recreating deleted routes or associations.
55- Implement IAM policies to restrict permissions for modifying route tables to only essential personnel. Ensure that the principle of least privilege is enforced.
56- Enable AWS Config to continuously monitor and record configuration changes to route tables, providing an audit trail for future incidents.
57- Set up CloudWatch Alarms to alert on any future unauthorized modifications to route tables, ensuring rapid detection and response.
58- If the incident is confirmed as malicious, escalate to the security operations team for further investigation and potential involvement of AWS support or legal authorities.
59
60## Setup
61
62The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = [
64 "https://github.com/easttimor/aws-incident-response#network-routing",
65 "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/",
66 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html",
67 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation",
68 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html",
69 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html",
70 "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html",
71]
72risk_score = 21
73rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
74severity = "low"
75tags = [
76 "Domain: Cloud",
77 "Data Source: AWS",
78 "Data Source: Amazon Web Services",
79 "Data Source: AWS Route53",
80 "Use Case: Network Security Monitoring",
81 "Tactic: Persistence",
82 "Resources: Investigation Guide",
83]
84timestamp_override = "event.ingested"
85type = "query"
86
87query = '''
88event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or
89DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success
90'''
91
92
93[[rule.threat]]
94framework = "MITRE ATT&CK"
95
96[rule.threat.tactic]
97id = "TA0003"
98name = "Persistence"
99reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS Route Table Modified or Deleted
AWS Route Tables are crucial for directing network traffic within a VPC. Adversaries may exploit these by altering or deleting routes to disrupt services or reroute traffic for data exfiltration. The detection rule monitors AWS CloudTrail logs for specific actions like route replacement or deletion, signaling potential unauthorized modifications that could indicate malicious activity.
Possible investigation steps
- Review the AWS CloudTrail logs to identify the specific user or role associated with the event.provider:ec2.amazonaws.com actions such as ReplaceRoute, ReplaceRouteTableAssociation, DeleteRouteTable, DeleteRoute, or DisassociateRouteTable.
- Check the event.time field in the CloudTrail logs to determine the exact time of the modification or deletion and correlate it with any other suspicious activities or alerts around the same timeframe.
- Investigate the source IP address and location from which the changes were made to assess if they align with expected administrative access patterns.
- Examine the AWS IAM policies and permissions associated with the user or role to determine if they have legitimate access to modify or delete route tables.
- Review recent changes in the AWS environment, such as new deployments or updates, to understand if the route table modifications were part of planned activities.
- Contact the user or team responsible for the changes to verify if the actions were authorized and intended as part of routine operations.
False positive analysis
- Routine infrastructure updates or maintenance activities by authorized personnel can trigger alerts. To manage this, create exceptions for known maintenance windows or specific user accounts that regularly perform these tasks.
- Automated scripts or tools used for infrastructure management might modify route tables as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user agent strings or IAM roles.
- Changes made by cloud service providers during updates or optimizations can also appear as modifications. Monitor communications from AWS for scheduled changes and temporarily adjust detection rules to accommodate these events.
- Development and testing environments often undergo frequent changes that are non-threatening. Consider excluding these environments from the rule or applying a different risk threshold to reduce noise.
- Multi-account setups where centralized management tools modify route tables across accounts can lead to false positives. Implement account-specific exclusions or adjust the rule to recognize these centralized actions.
Response and remediation
- Immediately isolate the affected VPC to prevent further unauthorized access or data exfiltration. This can be done by temporarily modifying security group rules to restrict inbound and outbound traffic.
- Review the AWS CloudTrail logs to identify the source of the unauthorized modifications. Focus on the user identity, IP address, and time of the event to understand the scope and origin of the threat.
- Revert any unauthorized changes to the route tables by restoring them to their last known good configuration. This may involve manually recreating deleted routes or associations.
- Implement IAM policies to restrict permissions for modifying route tables to only essential personnel. Ensure that the principle of least privilege is enforced.
- Enable AWS Config to continuously monitor and record configuration changes to route tables, providing an audit trail for future incidents.
- Set up CloudWatch Alarms to alert on any future unauthorized modifications to route tables, ensuring rapid detection and response.
- If the incident is confirmed as malicious, escalate to the security operations team for further investigation and potential involvement of AWS support or legal authorities.
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS Route Table Created
- AWS EC2 Network Access Control List Creation
- AWS EC2 Security Group Configuration Change
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account