LoadBalancer Security Group Modification

Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.

Sigma rule (View on GitHub)

 1title: LoadBalancer Security Group Modification
 2id: 7a4409fc-f8ca-45f6-8006-127d779eaad9
 3status: test
 4description: |
 5    Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
 6    This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.    
 7references:
 8    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
 9author: jamesc-grafana
10date: 2024-07-11
11tags:
12    - attack.initial-access
13    - attack.t1190
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: 'elasticloadbalancing.amazonaws.com'
20        eventName:
21            - 'ApplySecurityGroupsToLoadBalancer'
22            - 'SetSecurityGroups'
23    condition: selection
24falsepositives:
25    - Repurposing of an ELB or ALB to serve a different or additional application
26    - Changes to security groups to allow for new services to be deployed
27level: medium

References

Related rules

to-top