<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elastic File System (EFS) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/elastic-file-system-efs/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/elastic-file-system-efs/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS EFS File System Deletion Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-efs-deletion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-efs-deletion/</guid><description>An adversary with sufficient permissions deletes an Amazon EFS file system using the 'DeleteFileSystem' API operation to destroy evidence, disrupt workloads, or impede recovery efforts.</description><content:encoded><![CDATA[<p>The Amazon Elastic File System (EFS) provides scalable, shared file storage. The deletion of an EFS file system, detected via the &quot;DeleteFileSystem&quot; API operation, permanently removes all stored data, which cannot be recovered. This action is rare outside of controlled teardown workflows. This event, logged by AWS CloudTrail, can signal intentional data destruction, preparation for ransomware attacks, or post-compromise cleanup activities. The rule focuses exclusively on the irreversible destructive event of deleting an EFS file system via the <code>DeleteFileSystem</code> API call. Detection is based on logs from <code>elasticfilesystem.amazonaws.com</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Adversary gains unauthorized access to an AWS account.</li>
<li>The adversary escalates privileges within the AWS account to obtain permissions to delete EFS file systems.</li>
<li>Adversary enumerates existing EFS file systems using AWS CLI or API calls.</li>
<li>Adversary identifies a target EFS file system for deletion.</li>
<li>Adversary deletes mount targets associated with the EFS file system.</li>
<li>Adversary executes the <code>DeleteFileSystem</code> API call via AWS CLI, API, or console.</li>
<li>The EFS file system and its stored data are permanently deleted.</li>
<li>Adversary may attempt to delete CloudWatch logs to remove traces of their activity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of an EFS file system results in permanent data loss, disrupting workloads reliant on the deleted file system. This can lead to significant operational downtime, financial losses, and potential compliance violations, especially if the file system contained sensitive or regulated data. The impact varies based on the importance of the data and the availability of backups. Recovering from this requires restoring from backups, if available, or rebuilding the infrastructure and data from scratch.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS EFS File System Deleted&quot; to your SIEM and tune for your environment to detect unauthorized deletions of EFS file systems.</li>
<li>Restrict the use of <code>elasticfilesystem:DeleteFileSystem</code> to tightly controlled IAM roles as mentioned in the overview section.</li>
<li>Review <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.user_identity.access_key_id</code> to identify the actor and calling context as described in the Triage section of the documentation.</li>
<li>Ensure AWS Backup policies include EFS resources with sufficient retention to mitigate data loss from accidental or malicious deletion.</li>
<li>Use AWS Config or Security Hub controls to detect EFS file systems without backup plans as described in the Hardening section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>efs</category><category>data-destruction</category><category>impact</category></item></channel></rss>