Ingress/Egress Security Group Modification

Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.

Sigma rule (View on GitHub)

 1title: Ingress/Egress Security Group Modification
 2id: 6fb77778-040f-4015-9440-572aa9b6b580
 3status: test
 4description: |
 5    Detects when an account makes changes to the ingress or egress rules of a security group.
 6    This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.    
 7references:
 8    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
 9author: jamesc-grafana
10date: 2024/07/11
11tags:
12    - attack.initial_access
13    - attack.t1190
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: 'ec2.amazonaws.com'
20        eventName:
21            - 'AuthorizeSecurityGroupEgress'
22            - 'AuthorizeSecurityGroupIngress'
23            - 'RevokeSecurityGroupEgress'
24            - 'RevokeSecurityGroupIngress'
25    condition: selection
26falsepositives:
27    - New VPCs and Subnets being setup requiring a different security profile to those already defined
28    - A single port being opened for a new service that is known to be deploying
29    - Administrators closing unused ports to reduce the attack surface
30level: medium

References

Related rules

to-top