<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS WAF Regional - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-waf-regional/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-waf-regional/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS WAF Access Control List Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-waf-acl-deletion/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-waf-acl-deletion/</guid><description>Detection of AWS Web Application Firewall (WAF) Web ACL deletion, which adversaries may perform to disable security controls, evade detection, and prepare for subsequent attacks, potentially leading to web-application compromise, data theft, or resource abuse.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of AWS Web Application Firewall (WAF) Web ACL deletion. AWS WAF protects web applications by filtering malicious HTTP/S traffic. A Web ACL acts as the central enforcement point, determining which traffic is inspected, allowed, or blocked. An attacker with sufficient privileges may delete a Web ACL to disable these protections. This action bypasses configured rules, protections, and logging, potentially leading to web-application compromise, data theft, or resource abuse. Because Web ACLs are critical security components, their deletion is rare and can signal malicious activity. This detection focuses on identifying successful <code>DeleteWebACL</code> events across WAF Classic, WAF Regional, and WAFv2 APIs in AWS CloudTrail logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS account with sufficient IAM permissions to manage WAF resources, potentially through compromised credentials or privilege escalation.</li>
<li>The attacker authenticates to the AWS environment using the compromised credentials or assumed role.</li>
<li>The attacker uses the AWS CLI, SDK, or Management Console to issue a <code>DeleteWebACL</code> API call targeting a specific Web ACL.</li>
<li>The API call is successful, and the targeted Web ACL is removed from the AWS environment.</li>
<li>All rules, protections, and logging configurations associated with the deleted Web ACL are immediately disabled.</li>
<li>Web applications previously protected by the deleted Web ACL are now exposed to potentially malicious traffic without filtering or monitoring.</li>
<li>The attacker may then exploit vulnerabilities in the exposed web applications to gain unauthorized access or steal sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of a Web ACL can have significant consequences. Applications previously protected by the Web ACL are exposed to direct exploitation. This could lead to web application compromise, data theft, or resource abuse. The number of affected applications depends on the scope of the deleted Web ACL. Successful exploitation can result in financial loss, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging for all regions to capture API activity related to WAF configurations and deletions. Use <code>data_stream.dataset: aws.cloudtrail</code> and <code>event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)</code> to filter logs (see query in this brief).</li>
<li>Deploy the Sigma rule to detect unauthorized Web ACL deletions and tune it to your environment, accounting for authorized deletions during maintenance windows or IaC deployments.</li>
<li>Restrict IAM permissions for <code>waf:DeleteWebACL</code> and <code>wafv2:DeleteWebACL</code> to a limited set of trusted roles, enforcing MFA for administrative access to prevent unauthorized deletions.</li>
<li>Monitor <code>aws.cloudtrail.user_identity.arn</code> and <code>access_key_id</code> in CloudTrail logs to identify the actor initiating the deletion and determine if the principal normally manages WAF resources (see investigation fields).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>waf</category><category>defense-evasion</category></item></channel></rss>