AuthorizeSecurityGroupEgress
Event
Adds outbound rules to a VPC security group, permitting traffic from instances to specified destination IP ranges or security groups.
Security Context
- Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.
- Exfiltration through cloud services allows adversaries to extract data using legitimate APIs that may not trigger network-based alerts.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion Exfiltration
Techniques:
- T1562.007 — Disable or Modify Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in Disable or Modify System Firewall.
- T1048 — Exfiltration Over Alternative Protocol — Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.