AWS Network Access Control List Deleted

Try in Splunk Security Cloud

Description

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-01-12
• Author: Bhavin Patel, Patrick Bareiss, Splunk
• ID: ada0f478-84a8-4641-a3f1-d82362d6fd75

Annotations

ATT&CK

ID	Technique	Tactic
T1562.007	Disable or Modify Cloud Firewall	Defense Evasion

T1562

Impair Defenses

Defense Evasion

Kill Chain Phase

• Actions on Objectives

NIST

• DE.DP
• DE.AE

CIS20

• CIS 11

CVE

Search

`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_network_access_control_list_deleted_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• cloudtrail

Note that aws_network_access_control_list_deleted_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

• _time
• eventName
• requestParameters.egress
• userName
• userIdentity.principalId
• src
• userAgent

How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.

Known False Positives

It’s possible that a user has legitimately deleted a network ACL.

Associated Analytic story

• AWS Network ACL Activity

RBA

Risk Score	Impact	Confidence	Message
5.0	10	50	User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json

source | version: 2