{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-front-door-waf/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Front Door WAF"],"_cs_severities":["low"],"_cs_tags":["azure","waf","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized or malicious deletion of Azure Front Door Web Application Firewall (WAF) policies. Azure Front Door WAF policies are critical security controls that protect web applications by filtering and monitoring HTTP requests, blocking malicious traffic and preventing exploitation of vulnerabilities. An adversary may delete these policies to bypass security measures, facilitating unauthorized access, data exfiltration, or other malicious activities. The deletion of a WAF policy can have a significant impact, potentially exposing web applications to a wide range of attacks, including SQL injection, cross-site scripting (XSS), and other web-based threats. Defenders should monitor for unexpected deletions of these policies and promptly investigate any such events. This brief provides guidance for detection engineers to identify and respond to this type of defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to an Azure account with sufficient privileges to manage Front Door WAF policies, possibly through compromised credentials or exploiting a privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing Front Door WAF policies to identify targets for disabling or deletion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker initiates the deletion of a Front Door WAF policy using the Azure portal, Azure CLI, or PowerShell. The specific operation name is \u0026quot;MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\u0026quot;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker may attempt to prevent detection by disabling logging or other security monitoring features within Azure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e With the WAF policy removed, web applications protected by the policy become vulnerable to a wide range of web-based attacks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Exploitation:\u003c/strong\u003e The attacker leverages the unprotected web applications to gain unauthorized access to sensitive data, deploy malware, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of a Front Door WAF policy can expose web applications to a variety of attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks. This can lead to data breaches, service disruptions, and reputational damage. The severity of the impact depends on the criticality of the protected applications and the sensitivity of the data they process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Front Door WAF Policy Deleted\u003c/code\u003e to your SIEM to detect unauthorized WAF policy deletions by monitoring Azure activity logs.\u003c/li\u003e\n\u003cli\u003eEnable Azure Activity Log monitoring and ensure logs are ingested into your SIEM to provide the data source for the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement Role-Based Access Control (RBAC) with the principle of least privilege to restrict access to Azure management operations and minimize the risk of unauthorized policy modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified WAF policy deletion events by examining the associated user identity and the context of the deletion, as described in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/","summary":"Detection of Azure Front Door Web Application Firewall (WAF) policy deletion, which can indicate an attacker's attempt to evade defenses by removing a security layer protecting web applications.","title":"Azure Front Door WAF Policy Deletion Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Azure Front Door WAF","version":"https://jsonfeed.org/version/1.1"}