[Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064)

imays11 · web-flow · commit 76e083ced0a3 · 2025-09-11T15:35:16.000-04:00
* [Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted

AWS Route Table Created
- turned this into a new_terms rule to reduce noise and be more indicative of potential malicious behavior. Used `cloud.account.id`, `user.name` combination to account for both roles and users doing this behavior for the first time.
- changed execution interval
- changed the name to add EC2
- slight adjustments to IG and description
- fixed tagging error
- added investigation fields

AWS EC2 Route Table Modified or Deleted
- replaced new terms field to `cloud.account.id`, `user.name` combination to account for both roles and users doing this behavior for the first time.
- removed the exclusions from this rule. These exclusions, while meant to reduce noise caused by automation tools, actually just provide an easy bypass. A user can simply use CloudFormation to perform the exact same behaviors and avoid detection. I've shown this in the screenshot below, I ran a nearly identical script, one with and one without using CloudFormation. While `source.address` is `cloudformation.amazonaws.com` the behavior was still performed by an IAMUser and should still be evaluated. The fact that this is a new terms rule will reduce the risk of noise due to automation using these tools.
- changed execution interval
- slight adjustments to IG and description
- added investigation fields

* Update persistence_route_table_created.toml

* Update rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml
diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml
@@ -2,26 +2,23 @@
 creation_date = "2021/06/05"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/09/04"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
 Identifies AWS CloudTrail events where an EC2 route table or association has been modified or deleted. Route table or
-association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain
-persistence in a compromised environment. This is a [New
-Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the
-first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 10 days.
+association modifications can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.
 """
 false_positives = [
     """
-    Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users
+    Route Tables could be modified or deleted by a system administrator. Verify whether the user identity, user agent,
+    and/or hostname should be making changes in your environment. Route Tables being modified from unfamiliar users
     should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also
     automated processes that use Terraform may lead to false positives.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -36,7 +33,7 @@ This rule detects modifications or deletions of AWS route tables using actions s
 #### Possible Investigation Steps
 
 - **Review Request Parameters:**
-   - Check the `aws.cloudtrail.flattened.request_parameters` field. The sub-fields may vary depending on the `event.action` (e.g., `routeTableId` for `DeleteRouteTable`, `destinationCidrBlock` for `ReplaceRoute`).
+   - Check the `aws.cloudtrail.request_parameters` field. The sub-fields may vary depending on the `event.action` (e.g., `routeTableId` for `DeleteRouteTable`, `destinationCidrBlock` for `ReplaceRoute`).
    - Validate the affected route table, routes, or associations based on the API call:
      - For `ReplaceRoute`: Look for changes in specific routes using `destinationCidrBlock`.
      - For `ReplaceRouteTableAssociation`: Review the new association details (e.g., subnet ID).
@@ -50,7 +47,7 @@ This rule detects modifications or deletions of AWS route tables using actions s
 
 - **Analyze Request Details**:
   - **Action Type**: Verify the specific API call in the `event.action` field (e.g., `ReplaceRoute`, `DeleteRouteTable`) to understand the nature of the modification.
-  - **Source IP and Geolocation**: Examine the `source.address` and `source.geo` fields to confirm whether the request originated from a trusted location. Suspicious geolocations or IPs may indicate adversarial activity.
+  - **Source IP and Geolocation**: Examine the `source.ip` and `source.geo` fields to confirm whether the request originated from a trusted location. Suspicious geolocations or IPs may indicate adversarial activity.
   - **User Agent**: Review the `user_agent.original` field to determine the tool used for the request (e.g., AWS CLI, Terraform). Unusual or custom user agents may indicate malicious intent.
 
 - **Correlate with Other Activity**:
@@ -70,7 +67,7 @@ This rule detects modifications or deletions of AWS route tables using actions s
 
 ### Response and Remediation
 
-- **Revoke Unauthorized Permissions**: If unauthorized, remove permissions for `ec2:ReplaceRoute`, `ec2:DeleteRouteTable`, or other related actions from the user or role.
+- **Revoke Unauthorized Permissions**: If unauthorized, remove permissions for related actions from the user or role. You can use the managed [AWSDenyAll](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDenyAll.html) policy.
 - **Restore the Route Table**:
   - If critical networking was impacted, restore the route table or reapply previous configurations from backups or Terraform state files.
   - Verify connectivity to affected subnets or instances to ensure no disruptions to services.
@@ -117,13 +114,24 @@ event.dataset: "aws.cloudtrail"
         "DisassociateRouteTable"
     )
     and event.outcome: "success"
-    and not source.address: (
-        "cloudformation.amazonaws.com" or
-        "servicecatalog.amazonaws.com" or
-        "fsx.amazonaws.com"
-    )
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -135,7 +143,7 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["aws.cloudtrail.user_identity.arn"]
+value = ["cloud.account.id", "user.name"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-10d"
diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml
@@ -2,11 +2,13 @@
 creation_date = "2021/06/05"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/04"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
-description = "Identifies when an AWS Route Table has been created."
+description = """
+Identifies when an EC2 Route Table has been created. Route tables can be used by attackers to disrupt network traffic, reroute communications, or maintain persistence in a compromised environment. This is a New Terms rule that detects the first instance of this behavior by a user or role.
+"""
 false_positives = [
     """
     Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent,
@@ -15,26 +17,23 @@ false_positives = [
     processes that use Terraform may lead to false positives.
     """,
 ]
-from = "now-60m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
-name = "AWS Route Table Created"
+name = "AWS EC2 Route Table Created"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating AWS Route Table Created
+### Investigating AWS EC2 Route Table Created
 
 AWS Route Tables are crucial components in managing network traffic within AWS environments, directing data between subnets and internet gateways. Adversaries may exploit route tables to reroute traffic for data exfiltration or to establish persistence by creating unauthorized routes. The detection rule monitors successful creation events of route tables, flagging potential misuse by correlating specific AWS CloudTrail logs, thus aiding in identifying unauthorized network configuration changes.
 
 ### Possible investigation steps
 
-- Review the AWS CloudTrail logs for the specific event.provider:ec2.amazonaws.com and event.action values (CreateRoute or CreateRouteTable) to identify the user or role that initiated the route table creation.
-- Check the event.outcome:success field to confirm the successful creation of the route table and gather additional context such as timestamps and source IP addresses.
-- Investigate the associated AWS account and IAM user or role to determine if the action aligns with expected behavior and permissions.
+- Investigate the AWS account and IAM user or role to determine if the action aligns with expected behavior and permissions.
 - Examine the newly created route table's configuration to identify any unauthorized or suspicious routes that could indicate potential misuse or data exfiltration attempts.
 - Correlate the event with other network security monitoring data to identify any unusual traffic patterns or anomalies that coincide with the route table creation.
 - Assess the environment for any recent changes or incidents that might explain the creation of the route table, such as new deployments or infrastructure modifications.
@@ -49,7 +48,7 @@ AWS Route Tables are crucial components in managing network traffic within AWS e
 
 ### Response and remediation
 
-- Immediately isolate the affected AWS account or VPC to prevent further unauthorized network changes and potential data exfiltration.
+- If unauthorized, remove permissions for related actions from the user or role. You can use the managed [AWSDenyAll](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDenyAll.html) policy. 
 - Review the newly created route table and any associated routes to identify unauthorized entries. Remove any routes that are not part of the expected network configuration.
 - Conduct a thorough audit of IAM roles and permissions to ensure that only authorized users have the ability to create or modify route tables. Revoke any excessive permissions identified.
 - Implement network monitoring to detect unusual traffic patterns that may indicate data exfiltration or other malicious activities.
@@ -72,19 +71,40 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
-    "Data Source: AWS Route53",
+    "Data Source: AWS EC2",
     "Use Case: Network Security Monitoring",
     "Tactic: Persistence",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "new_terms"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and
-event.outcome:success
+event.dataset: "aws.cloudtrail"
+    and event.provider: "ec2.amazonaws.com" 
+    and event.action:(
+        "CreateRoute" or 
+        "CreateRouteTable"
+    ) 
+    and event.outcome: "success"
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
@@ -94,3 +114,10 @@ id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
 
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["cloud.account.id", "user.name"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
+
