AWS Network Access Control List Deleted
Description
Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.
- Type: Anomaly
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2021-01-12
- Author: Bhavin Patel, Patrick Bareiss, Splunk
- ID: ada0f478-84a8-4641-a3f1-d82362d6fd75
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1562 | Impair Defenses | Defense Evasion |
Search
`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_network_access_control_list_deleted_filter`
Associated Analytic Story
How To Implement
You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.
Required field
- _time
- eventName
- requestParameters.egress
- userName
- userIdentity.principalId
- src
- userAgent
Kill Chain Phase
- Actions on Objectives
Known False Positives
It's possible that a user has legitimately deleted a network ACL.
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 5.0 | 10 | 50 | User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2