New Network Route Added
Detects the addition of a new network route to a route table in AWS.
Sigma rule (View on GitHub)
1title: New Network Route Added
2id: c803b2ce-c4a2-4836-beae-b112010390b1
3status: test
4description: |
5 Detects the addition of a new network route to a route table in AWS.
6references:
7 - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
8author: jamesc-grafana
9date: 2024-07-11
10tags:
11 - attack.initial-access
12 - attack.t1190
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventSource: 'ec2.amazonaws.com'
19 eventName: 'CreateRoute'
20 condition: selection
21falsepositives:
22 - New VPC Creation requiring setup of a new route table
23 - New subnets added requiring routing setup
24level: medium
References
-
Learn which CloudTrail events are critical to leverage and maintain a more secure cloud infrastructure in AWS.
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations