[Rule Tuning] AWS EC2 Full Network Packet Capture Detected (#5244)

imays11 · web-flow · commit 5b386e0a8f00 · 2025-11-10T10:49:17.000-05:00
* [Rule Tuning] AWS EC2 Full Network Packet Capture Detected

**AWS EC2 Full Network Packet Capture Detected**
Alert telemetry is low in general however the alerts that do exist are unnecessarily duplicative in nature.  When a traffic mirror session is created (CreateTrafficMirrorSession), it is typcially created alongside A filter and filter rules (CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule) which determines what traffic will be mirrored. There is also a traffic mirror target (CreateTrafficMirrorTarget), which is the destination for the mirrored traffic to go. The original scope of this rule included all of those APIs when really the only API needed here is `CreateTrafficMirrorSession`, which is the actual network mirroring behavior. The rest of those calls can be used as additional context during alert triage, but I've significantly reduced the scope of this rule to only capture the actual traffic mirroring behavior.
- reduced the query scope to `CreateTrafficMirrorSession` only
- reduced the execution window
- update description and investigation guide
- replaced API reference link
- added highlighted fields

* updating mitre technique

updating mitre technique

* updated Mitre mapping

adding network sniffing technique

* updating references to include relevant threat blog

updating references to include relevant threat blog

* adding EC2 tag

adding EC2 tag

* updating EC2 tagging
diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
@@ -2,14 +2,15 @@
 creation_date = "2021/05/05"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/10/23"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
-Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon
-VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be
-abused to exfiltrate sensitive data from unencrypted internal traffic.
+Detects successful creation of an Amazon EC2 Traffic Mirroring session. A session copies full packets from a source
+Elastic Network Interface (ENI) to a mirror target (e.g., an ENI or NLB) using a mirror filter (ingress/egress rules).
+While used for diagnostics and NDR/IDS tooling, adversaries can abuse sessions to covertly capture and exfiltrate
+sensitive, potentially unencrypted, traffic from instances or subnets.
 """
 false_positives = [
     """
@@ -18,9 +19,8 @@ false_positives = [
     should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-60m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS EC2 Full Network Packet Capture Detected"
@@ -31,41 +31,73 @@ note = """## Triage and analysis
 
 ### Investigating AWS EC2 Full Network Packet Capture Detected
 
-Traffic Mirroring in AWS EC2 allows copying of network traffic for monitoring and analysis, crucial for security and performance insights. However, adversaries can exploit this by capturing unencrypted data, leading to potential data exfiltration. The detection rule identifies successful creation of traffic mirroring components, signaling possible misuse for unauthorized data collection.
-
-### Possible investigation steps
-
-- Review the CloudTrail logs for the specific event actions: CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule, CreateTrafficMirrorSession, and CreateTrafficMirrorTarget to identify the user or role that initiated these actions.
-- Check the event.outcome field to confirm the success of the traffic mirroring setup and gather details about the time and source IP address of the request.
-- Investigate the associated Elastic Network Interface (ENI) to determine which EC2 instance is involved and assess its role and importance within the network.
-- Analyze the network traffic patterns and data flow from the mirrored traffic to identify any signs of data exfiltration or unusual data transfer activities.
-- Verify the encryption status of the network traffic being mirrored to assess the risk of sensitive data exposure.
-- Cross-reference the involved AWS account and IAM roles with known threat actor profiles or previous security incidents to identify potential insider threats or compromised accounts.
+This alert fires on a successful `CreateTrafficMirrorSession`, which enables full-packet Traffic Mirroring from a
+source ENI to a mirror target under a given filter. Because sessions immediately begin sending packets once active,
+treat unexpected creations as high priority.
+
+#### Possible investigation steps
+
+**Identify the actor and execution context**
+- **Principal**: Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and
+  `aws.cloudtrail.user_identity.access_key_id` to determine who created the session (human IAM user vs. assumed role vs. automation).
+- **Caller metadata**: Check `user_agent.original`, and `source.ip` for unusual tools, hosts, or locations.
+- **Account/Region/Time**: Validate `cloud.account.id`, `cloud.region`, and `@timestamp` against change windows or tickets.
+
+**Extract the session details from the event**
+- **Request parameters**: Parse `aws.cloudtrail.request_parameters` for:
+  - `NetworkInterfaceId` (mirrored source ENI)  map to the EC2 instance and its business function.
+  - `TrafficMirrorTargetId` identify where packets are being sent (ENI vs. NLB).
+  - `TrafficMirrorFilterId` check which directions and protocols are allowed (ingress/egress, ports).
+  - `SessionNumber`, `Description`, `TagSpecifications` look for operator tags or suspicious notes.
+- **Response elements**: Use `aws.cloudtrail.response_elements` to confirm the created `TrafficMirrorSessionId` and
+  any resolved resource ARNs/IDs.
+
+**Pivot for related API calls to validate scope and intent**
+Look before and after this event (±30–60 minutes) by the same principal / access key / source IP for:
+- **Target & Filter lifecycle**: `CreateTrafficMirrorTarget`, `CreateTrafficMirrorFilter`, `CreateTrafficMirrorFilterRule`,
+  `ModifyTrafficMirrorSession|Filter|FilterRule`, and `Delete*` calls (rapid create-modify patterns can indicate staging).
+- **Session management**: `DeleteTrafficMirrorSession` shortly after creation (test/probe), or repeated creations to different targets.
+- **Discovery/positioning**: `DescribeNetworkInterfaces`, `DescribeInstances`, `DescribeVpcs/Subnets/RouteTables` around the same time.
+- **Cross-account indicators**: creation of targets that forward to infrastructure not owned by your account (e.g., NLB in shared services).
+- **Other suspicious changes**: IAM permission changes, new access keys, or S3/SNS setup that could support exfil/ops.
+
+**Validate the mirror destination and potential data exposure**
+- If the target is an ENI: identify the owning instance/application; confirm it is an approved NDR/packet capture host.
+- If the target is an NLB target: determine where the NLB sends traffic (could be a collection point in another VPC or account).
+- Assess whether mirrored flows include plaintext protocols (internal HTTP, databases, LDAP, etc.) increasing sensitivity.
 
 ### False positive analysis
 
-- Routine network monitoring activities may trigger the rule if legitimate traffic mirroring is set up for performance analysis. To manage this, identify and document authorized traffic mirroring configurations and exclude them from alerts.
-- Security audits or compliance checks might involve creating traffic mirroring sessions. Coordinate with audit teams to schedule these activities and temporarily suppress alerts during these periods.
-- Development and testing environments often use traffic mirroring for debugging purposes. Maintain a list of such environments and apply exceptions to avoid unnecessary alerts.
-- Automated infrastructure management tools might create traffic mirroring components as part of their operations. Review and whitelist these tools to prevent false positives.
-- Ensure that any third-party services with access to your AWS environment are vetted and their activities are monitored to distinguish between legitimate and suspicious traffic mirroring actions.
+- **Authorized monitoring**: Approved NDR/IDS tooling or troubleshooting playbooks may legitimately create sessions.
+- **Ops/diagnostics**: Short-lived sessions during incident handling or performance analysis.
+- **Automation**: Infrastructure pipelines that stand up temporary mirroring for validation.
 
 ### Response and remediation
 
-- Immediately isolate the affected EC2 instance to prevent further data exfiltration. This can be done by removing the instance from any network access or security groups that allow outbound traffic.
-- Review and terminate any unauthorized Traffic Mirroring sessions, filters, or targets that were created. Ensure that only legitimate and necessary mirroring configurations are active.
-- Conduct a thorough audit of the AWS CloudTrail logs to identify any other suspicious activities or unauthorized access attempts related to Traffic Mirroring or other sensitive operations.
-- Rotate and update any credentials or access keys that may have been exposed or compromised during the incident to prevent further unauthorized access.
-- Notify the security team and relevant stakeholders about the incident for awareness and further investigation. Escalate to higher management if the data exfiltration involves sensitive or critical data.
-- Implement additional network monitoring and intrusion detection measures to enhance visibility and detect similar threats in the future. Consider using AWS GuardDuty or similar services for continuous threat detection.
-- Review and update security policies and access controls to ensure that Traffic Mirroring and other sensitive features are only accessible to authorized personnel with a legitimate need.
+**1. Contain**
+- If unauthorized, terminate the session immediately (use the `TrafficMirrorSessionId` from `aws.cloudtrail.response_elements`)
+  and block creation permissions for the offending principal.
+- Quarantine or restrict egress from the target if you suspect it is forwarding captured traffic outside approved destinations.
+
+**2. Investigate**
+- Enumerate all active sessions in the affected account/region; verify there aren’t additional rogue sessions.
+- Review related target and filter resources (and recent `Modify*` calls) to understand captured scope and recipients.
+- Trace the source ENI back to the EC2 instance and validate whether sensitive workloads were mirrored.
+
+**3. Recover & harden**
+- Remove or lock down unapproved targets/filters; enforce least privilege on `ec2:CreateTrafficMirrorSession/Target/Filter`.
+- Consider SCPs or IAM conditions limiting who/where sessions can be created (e.g., only into designated monitoring VPCs).
+- Ensure monitoring targets are controlled, logged, and not internet-reachable.
 
-## Setup
+**4. Improve**
+- Add correlation logic to automatically surface CreateTrafficMirrorSession alongside Create/Modify Target/Filter calls by the same actor.
+- Require tags on approved mirroring resources; alert on untagged/unticketed creations.
+- Update playbooks to include a standard validation checklist (principal, source ENI, target, filter rules, destination path).
 
-The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+"""
 references = [
-    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html",
-    "https://github.com/easttimor/aws-incident-response",
+    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorSession.html",
+    "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/",
 ]
 risk_score = 47
 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
@@ -74,6 +106,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
+    "Data Source: AWS EC2",
     "Use Case: Network Security Monitoring",
     "Tactic: Exfiltration",
     "Tactic: Collection",
@@ -83,9 +116,10 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and
-event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and
-event.outcome:success
+event.dataset: "aws.cloudtrail" and 
+    event.provider: "ec2.amazonaws.com" and
+    event.action: "CreateTrafficMirrorSession" and
+    event.outcome: "success"
 '''
 
 
@@ -96,6 +130,11 @@ id = "T1020"
 name = "Automated Exfiltration"
 reference = "https://attack.mitre.org/techniques/T1020/"
 
+[[rule.threat.technique]]
+id = "T1537"
+name = "Transfer Data to Cloud Account"
+reference = "https://attack.mitre.org/techniques/T1537/"
+
 
 [rule.threat.tactic]
 id = "TA0010"
@@ -113,4 +152,34 @@ reference = "https://attack.mitre.org/techniques/T1074/"
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1040"
+name = "Network Sniffing"
+reference = "https://attack.mitre.org/techniques/T1040/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+]
 
