Detectionlowtest

New Network ACL Entry Added

Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

jamesc-grafanaCreated Thu Jul 11e1f7febb-7b94-4234-b5c6-00fb8500f5ddcloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'CreateNetworkAclEntry'
    condition: selection

False Positives

Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC

References

Resolving title…

gorillastack.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.007 · Disable or Modify Cloud Firewall

Rule Metadata

Rule ID

e1f7febb-7b94-4234-b5c6-00fb8500f5dd

Status

test

Level

low

Type

Detection

Created

Thu Jul 11

Author

jamesc-grafana

Path

rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml

Raw Tags

attack.defense-evasionattack.t1562.007

View on GitHub