← Back to Explore
splunk_escuTTP
AWS Network Access Control List Created with All Open Ports
The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.
MITRE ATT&CK
Detection Query
`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1
| append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1
| eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from'
| where port_range>1024]
| fillnull
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product requestParameters.ruleAction
requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to
requestParameters.portRange.from requestParameters.cidrBlock
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_network_access_control_list_created_with_all_open_ports_filter`Author
Bhavin Patel, Patrick Bareiss, Splunk
Created
2026-03-10
Data Sources
AWS CloudTrail CreateNetworkAclEntryAWS CloudTrail ReplaceNetworkAclEntry
Tags
AWS Network ACL Activity
Raw Content
name: AWS Network Access Control List Created with All Open Ports
id: ada0f478-84a8-4641-a3f1-d82362d6bd75
version: 10
date: '2026-03-10'
author: Bhavin Patel, Patrick Bareiss, Splunk
status: production
type: TTP
description: The following analytic detects the creation of AWS Network Access Control Lists (ACLs) with all ports open to a specified CIDR. It leverages AWS CloudTrail events, specifically monitoring for `CreateNetworkAclEntry` or `ReplaceNetworkAclEntry` actions with rules allowing all traffic. This activity is significant because it can expose the network to unauthorized access, increasing the risk of data breaches and other malicious activities. If confirmed malicious, an attacker could exploit this misconfiguration to gain unrestricted access to the network, potentially leading to data exfiltration, service disruption, or further compromise of the AWS environment.
data_source:
- AWS CloudTrail CreateNetworkAclEntry
- AWS CloudTrail ReplaceNetworkAclEntry
search: |-
`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1
| append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1
| eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from'
| where port_range>1024]
| fillnull
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product requestParameters.ruleAction
requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to
requestParameters.portRange.from requestParameters.cidrBlock
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_network_access_control_list_created_with_all_open_ports_filter`
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.
known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.
references: []
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$
risk_objects:
- field: user
type: user
score: 50
threat_objects:
- field: src
type: ip_address
tags:
analytic_story:
- AWS Network ACL Activity
asset_type: AWS Instance
mitre_attack_id:
- T1562.007
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail