{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-network-firewall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Network Firewall"],"_cs_severities":["medium"],"_cs_tags":["attack.impact","attack.defense-impairment","attack.t1686.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may target Azure Network Firewall Policies to weaken an organization\u0026rsquo;s security posture. By modifying existing policies, adversaries can introduce rules that allow malicious traffic, disable existing protections, or create backdoors for future access. Deleting firewall policies altogether removes a critical layer of defense, potentially exposing internal resources to external threats. This activity is typically conducted after gaining initial access to the Azure environment through compromised credentials or other means. Monitoring for unauthorized changes to firewall policies is critical for maintaining network security and preventing potential data breaches or service disruptions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, possibly through compromised credentials or a vulnerability in a deployed application.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure Network Firewall Policies using Azure CLI or PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a firewall policy to modify or delete to achieve their objectives.\u003c/li\u003e\n\u003cli\u003eIf modifying, the attacker uses commands such as \u003ccode\u003eSet-AzNetworkFirewallPolicy\u003c/code\u003e or the Azure portal to alter the policy rules, potentially adding permissive rules or disabling existing restrictions.\u003c/li\u003e\n\u003cli\u003eIf deleting, the attacker uses commands such as \u003ccode\u003eRemove-AzNetworkFirewallPolicy\u003c/code\u003e or the Azure portal to remove the firewall policy entirely.\u003c/li\u003e\n\u003cli\u003eThe changes are applied to the Azure Network Firewall, impacting network traffic filtering.\u003c/li\u003e\n\u003cli\u003eThe attacker validates the effectiveness of the modified or deleted policy by testing network connectivity to previously protected resources.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to exploit the newly exposed resources for data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Azure Network Firewall policies can lead to significant security breaches. Attackers may be able to bypass network segmentation, gain unauthorized access to sensitive data, disrupt critical services, or deploy malicious code within the network. The impact can range from data theft and financial loss to reputational damage and regulatory penalties. The number of affected resources depends on the scope of the compromised firewall policy and the attacker\u0026rsquo;s subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Azure Network Firewall Policy Modified or Deleted\u0026rdquo; to detect unauthorized changes to firewall policies (logsource: azure, service: activitylogs).\u003c/li\u003e\n\u003cli\u003eReview user identities and user agents associated with detected events to determine if the changes were made by authorized personnel or malicious actors, as detailed in the false positives section.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by granting users only the necessary permissions to manage firewall policies.\u003c/li\u003e\n\u003cli\u003eImplement continuous monitoring and alerting for all Azure resources, including network firewalls, to detect suspicious activity and potential security breaches.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:12:00Z","date_published":"2024-01-03T18:12:00Z","id":"/briefs/2024-01-azure-firewall-policy-changes/","summary":"An adversary may modify or delete Azure Network Firewall Policies to impair defenses and potentially impact network security.","title":"Azure Network Firewall Policy Modification or Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-firewall-policy-changes/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure Network Firewall","version":"https://jsonfeed.org/version/1.1"}