Open Ingress Port 22 on a Security Group
Platform: AWS
MITRE ATT&CK Tactics
- Exfiltration
Description
Opens ingress traffic on port 22 from the Internet (0.0.0.0/0).
Warm-up:
- Create a VPC and a security group inside it.
Detonation:
- Call ec2:AuthorizeSecurityGroupIngress to allow ingress traffic on port 22 from 0.0.0.0/0.
Instructions
Detonate with Stratus Red Team
stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress
Detection
You can use the CloudTrail event AuthorizeSecurityGroupIngress
when:
requestParameters.cidrIp
is0.0.0.0/0
(or an unknown external IP)- and
requestParameters.fromPort
/requestParameters.toPort
is not a commonly exposed port or corresponds to a known administrative protocol such as SSH or RDP