Skip to content

Open Ingress Port 22 on a Security Group

Platform: AWS

MITRE ATT&CK Tactics

  • Exfiltration

Description

Opens ingress traffic on port 22 from the Internet (0.0.0.0/0).

Warm-up:

  • Create a VPC and a security group inside it.

Detonation:

  • Call ec2:AuthorizeSecurityGroupIngress to allow ingress traffic on port 22 from 0.0.0.0/0.

Instructions

Detonate with Stratus Red Team
stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress

Detection

You can use the CloudTrail event AuthorizeSecurityGroupIngress when:

  • requestParameters.cidrIp is 0.0.0.0/0 (or an unknown external IP)
  • and requestParameters.fromPort/requestParameters.toPort is not a commonly exposed port or corresponds to a known administrative protocol such as SSH or RDP