{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/elastic-file-system-efs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic File System (EFS)"],"_cs_severities":["medium"],"_cs_tags":["aws","efs","data-destruction","impact"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThe Amazon Elastic File System (EFS) provides scalable, shared file storage. The deletion of an EFS file system, detected via the \u0026quot;DeleteFileSystem\u0026quot; API operation, permanently removes all stored data, which cannot be recovered. This action is rare outside of controlled teardown workflows. This event, logged by AWS CloudTrail, can signal intentional data destruction, preparation for ransomware attacks, or post-compromise cleanup activities. The rule focuses exclusively on the irreversible destructive event of deleting an EFS file system via the \u003ccode\u003eDeleteFileSystem\u003c/code\u003e API call. Detection is based on logs from \u003ccode\u003eelasticfilesystem.amazonaws.com\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains unauthorized access to an AWS account.\u003c/li\u003e\n\u003cli\u003eThe adversary escalates privileges within the AWS account to obtain permissions to delete EFS file systems.\u003c/li\u003e\n\u003cli\u003eAdversary enumerates existing EFS file systems using AWS CLI or API calls.\u003c/li\u003e\n\u003cli\u003eAdversary identifies a target EFS file system for deletion.\u003c/li\u003e\n\u003cli\u003eAdversary deletes mount targets associated with the EFS file system.\u003c/li\u003e\n\u003cli\u003eAdversary executes the \u003ccode\u003eDeleteFileSystem\u003c/code\u003e API call via AWS CLI, API, or console.\u003c/li\u003e\n\u003cli\u003eThe EFS file system and its stored data are permanently deleted.\u003c/li\u003e\n\u003cli\u003eAdversary may attempt to delete CloudWatch logs to remove traces of their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an EFS file system results in permanent data loss, disrupting workloads reliant on the deleted file system. This can lead to significant operational downtime, financial losses, and potential compliance violations, especially if the file system contained sensitive or regulated data. The impact varies based on the importance of the data and the availability of backups. Recovering from this requires restoring from backups, if available, or rebuilding the infrastructure and data from scratch.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS EFS File System Deleted\u0026quot; to your SIEM and tune for your environment to detect unauthorized deletions of EFS file systems.\u003c/li\u003e\n\u003cli\u003eRestrict the use of \u003ccode\u003eelasticfilesystem:DeleteFileSystem\u003c/code\u003e to tightly controlled IAM roles as mentioned in the overview section.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.user_identity.access_key_id\u003c/code\u003e to identify the actor and calling context as described in the Triage section of the documentation.\u003c/li\u003e\n\u003cli\u003eEnsure AWS Backup policies include EFS resources with sufficient retention to mitigate data loss from accidental or malicious deletion.\u003c/li\u003e\n\u003cli\u003eUse AWS Config or Security Hub controls to detect EFS file systems without backup plans as described in the Hardening section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-efs-deletion/","summary":"An adversary with sufficient permissions deletes an Amazon EFS file system using the 'DeleteFileSystem' API operation to destroy evidence, disrupt workloads, or impede recovery efforts.","title":"AWS EFS File System Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-efs-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Elastic File System (EFS)","version":"https://jsonfeed.org/version/1.1"}