Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when an AWS security group is opened to the world on a port commonly associated with an administrative service.

Strategy

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

• AuthorizeSecurityGroupIngress

This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp or @requestParameters.cidrIp array to determine if either of the strings are contained - 0.0.0.0/0 or ::/0 for the following ports:

• 21 (FTP)
• 22 (SSH)
• 23 (Telnet)
• 445 (SMB)
• 2375 (Docker daemon)
• 3389 (RDP)
• 5900 (VNC)
• 5985 (WinRM HTTP)
• 5986 (WinRM HTTPS)

Administrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.

Note: There is a separate rule to detect AWS Security Group Open to the World.

Triage and response

1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
2. If the API call was not made by the user:

• Rotate the user credentials.
• Determine what other API calls were made by the user.
• Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.

3. If the API call was made legitimately by the user:

• Advise the user to modify the IP range to the company private network or bastion host.

4. Revert security group configuration back to known good state if required:

• Use the aws-cli command revoke-security-group-ingress or the AWS console to remove the rule.
• Use the aws-cli command modify-security-group-rules or AWS console to modify the existing rule.

Changelog

• 26 August 2022 - Updated rule query
• 1 November 2022 - Updated rule query and severity.