<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Azure Front Door WAF - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/azure-front-door-waf/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/azure-front-door-waf/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Front Door WAF Policy Deletion Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/</link><pubDate>Tue, 09 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/</guid><description>Detection of Azure Front Door Web Application Firewall (WAF) policy deletion, which can indicate an attacker's attempt to evade defenses by removing a security layer protecting web applications.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of unauthorized or malicious deletion of Azure Front Door Web Application Firewall (WAF) policies. Azure Front Door WAF policies are critical security controls that protect web applications by filtering and monitoring HTTP requests, blocking malicious traffic and preventing exploitation of vulnerabilities. An adversary may delete these policies to bypass security measures, facilitating unauthorized access, data exfiltration, or other malicious activities. The deletion of a WAF policy can have a significant impact, potentially exposing web applications to a wide range of attacks, including SQL injection, cross-site scripting (XSS), and other web-based threats. Defenders should monitor for unexpected deletions of these policies and promptly investigate any such events. This brief provides guidance for detection engineers to identify and respond to this type of defense evasion.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to an Azure account with sufficient privileges to manage Front Door WAF policies, possibly through compromised credentials or exploiting a privilege escalation vulnerability.</li>
<li><strong>Discovery:</strong> The attacker enumerates existing Front Door WAF policies to identify targets for disabling or deletion.</li>
<li><strong>Defense Evasion:</strong> The attacker initiates the deletion of a Front Door WAF policy using the Azure portal, Azure CLI, or PowerShell. The specific operation name is &quot;MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE&quot;.</li>
<li><strong>Persistence (Optional):</strong> The attacker may attempt to prevent detection by disabling logging or other security monitoring features within Azure.</li>
<li><strong>Impact:</strong> With the WAF policy removed, web applications protected by the policy become vulnerable to a wide range of web-based attacks.</li>
<li><strong>Further Exploitation:</strong> The attacker leverages the unprotected web applications to gain unauthorized access to sensitive data, deploy malware, or perform other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of a Front Door WAF policy can expose web applications to a variety of attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks. This can lead to data breaches, service disruptions, and reputational damage. The severity of the impact depends on the criticality of the protected applications and the sensitivity of the data they process.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Front Door WAF Policy Deleted</code> to your SIEM to detect unauthorized WAF policy deletions by monitoring Azure activity logs.</li>
<li>Enable Azure Activity Log monitoring and ensure logs are ingested into your SIEM to provide the data source for the detection rule.</li>
<li>Implement Role-Based Access Control (RBAC) with the principle of least privilege to restrict access to Azure management operations and minimize the risk of unauthorized policy modifications.</li>
<li>Investigate any identified WAF policy deletion events by examining the associated user identity and the context of the deletion, as described in the overview.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>waf</category><category>defense_evasion</category></item></channel></rss>