Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
Sigma rule (View on GitHub)
1title: Ingress/Egress Security Group Modification
2id: 6fb77778-040f-4015-9440-572aa9b6b580
3status: test
4description: |
5 Detects when an account makes changes to the ingress or egress rules of a security group.
6 This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
7references:
8 - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
9author: jamesc-grafana
10date: 2024-07-11
11tags:
12 - attack.initial-access
13 - attack.t1190
14logsource:
15 product: aws
16 service: cloudtrail
17detection:
18 selection:
19 eventSource: 'ec2.amazonaws.com'
20 eventName:
21 - 'AuthorizeSecurityGroupEgress'
22 - 'AuthorizeSecurityGroupIngress'
23 - 'RevokeSecurityGroupEgress'
24 - 'RevokeSecurityGroupIngress'
25 condition: selection
26falsepositives:
27 - New VPCs and Subnets being setup requiring a different security profile to those already defined
28 - A single port being opened for a new service that is known to be deploying
29 - Administrators closing unused ports to reduce the attack surface
30level: medium
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations