Detectionmediumtest
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
selection:
eventSource: 'elasticloadbalancing.amazonaws.com'
eventName:
- 'ApplySecurityGroupsToLoadBalancer'
- 'SetSecurityGroups'
condition: selectionFalse Positives
Repurposing of an ELB or ALB to serve a different or additional application
Changes to security groups to allow for new services to be deployed
References
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
7a4409fc-f8ca-45f6-8006-127d779eaad9
Status
test
Level
medium
Type
Detection
Created
Thu Jul 11
Author
Path
rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml
Raw Tags
attack.initial-accessattack.t1190