{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-firewall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Firewall"],"_cs_severities":["medium"],"_cs_tags":["azure","firewall","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe modification or deletion of Azure Firewall rule collections (Application, NAT, and Network) can indicate malicious activity within an Azure environment. Threat actors may target these rules to bypass security controls, allowing unauthorized network traffic, enabling data exfiltration, or facilitating lateral movement. Monitoring these changes is crucial for maintaining the integrity of network security policies and detecting potential breaches. This activity directly impacts an organization\u0026rsquo;s ability to enforce its security posture, potentially exposing sensitive resources to unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure Firewall resources to identify rule collections (Application, NAT, and Network) that can be modified or deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker uses valid Azure credentials or exploits a misconfiguration to authenticate to the Azure Resource Manager API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to modify the target rule collection, potentially altering allowed ports, IP addresses, or protocols.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a request to delete an entire rule collection, effectively disabling its associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the request to the Azure Resource Manager API, executing the change to the firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe modified or deleted rule collection now allows unauthorized traffic to bypass the firewall, potentially enabling lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the newly opened network paths to achieve their final objective, such as deploying ransomware or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Azure Firewall rule collections can have significant consequences. Unauthorized traffic could bypass security controls, enabling data exfiltration, lateral movement, or the deployment of malware. This could lead to data breaches, service disruptions, and financial losses. The impact depends on the scope of the modified or deleted rule collection and the resources it protects.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Firewall Rule Collection Modified or Deleted\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized changes to firewall configurations.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs for any events matching the \u003ccode\u003eoperationName\u003c/code\u003e values specified in the Sigma rule to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts, especially those with permissions to manage firewall resources, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure role-based access control (RBAC) assignments to ensure the principle of least privilege is followed and that only authorized users have permissions to modify firewall configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-azure-firewall-rule-collection-modification/","summary":"An attacker may modify or delete Azure Firewall rule collections (Application, NAT, and Network) to impair defenses and potentially enable malicious traffic.","title":"Azure Firewall Rule Collection Modification or Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-firewall-rule-collection-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure Firewall","version":"https://jsonfeed.org/version/1.1"}