https://feed.craftedsignal.io/tags/attack.t1686.001/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 26 Oct 2024 14:27:00 +0000https://feed.craftedsignal.io/briefs/2024-10-aws-network-acl-created/Sat, 26 Oct 2024 14:27:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-10-aws-network-acl-created/Detection of new Network ACL entries in AWS CloudTrail logs can indicate potential defense impairment or the opening of new attack vectors within an AWS account by an adversary.The creation of new Network Access Control List (ACL) entries in Amazon Web Services (AWS) environments can be a sign of malicious activity. While legitimate use cases exist, adversaries can leverage these ACL changes to impair existing defenses, create new pathways for lateral movement, or establish persistence mechanisms. This activity is logged by CloudTrail and can be monitored to identify unauthorized or suspicious modifications to network security configurations. Attackers could create overly permissive rules that allow unauthorized access to critical resources or restrictive rules that disrupt legitimate traffic. Monitoring the creation of Network ACL entries is important for maintaining the integrity and security of AWS environments.

Attack Chain

1. An attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.
2. The attacker identifies the existing Network ACLs within the target Virtual Private Cloud (VPC).
3. The attacker uses the AWS Management Console, CLI, or API to create a new Network ACL entry. The CreateNetworkAclEntry event is logged in CloudTrail.
4. The new ACL entry may be configured to allow specific inbound or outbound traffic that was previously blocked, effectively opening a new attack vector.
5. Alternatively, the new ACL entry may be configured to deny legitimate traffic, causing a denial-of-service condition for specific services or resources.
6. The attacker leverages the newly created ACL entry to move laterally within the AWS environment, accessing previously inaccessible resources.
7. The attacker performs malicious actions, such as data exfiltration or resource compromise, using the newly opened network pathways.

Impact

The creation of unauthorized Network ACL entries can have significant consequences. It can lead to the opening of new attack vectors, allowing unauthorized access to sensitive data and critical resources. In some scenarios, it can result in a denial-of-service condition, disrupting legitimate business operations. Depending on the scope of the compromised resources and data, the impact can range from minor inconvenience to significant financial loss and reputational damage. Early detection of this activity is crucial to mitigating potential risks.

Recommendation

• Deploy the Sigma rule “New Network ACL Entry Added” to your SIEM to detect suspicious ACL modifications (logsource: aws, service: cloudtrail).
• Investigate any CreateNetworkAclEntry events that deviate from established baseline configurations or involve unexpected source/destination IP ranges.
• Review and audit existing Network ACL configurations regularly to identify and remediate any overly permissive or restrictive rules.
• Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of credential compromise and unauthorized access.
• Monitor CloudTrail logs for other related events, such as DeleteNetworkAclEntry or ReplaceNetworkAclEntry, which may indicate further tampering with network security configurations.

]]>lowadvisoryattack.defense-impairmentattack.t1686.001cloudhttps://feed.craftedsignal.io/briefs/2024-01-azure-firewall-policy-changes/Wed, 03 Jan 2024 18:12:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-azure-firewall-policy-changes/An adversary may modify or delete Azure Network Firewall Policies to impair defenses and potentially impact network security.Attackers may target Azure Network Firewall Policies to weaken an organization’s security posture. By modifying existing policies, adversaries can introduce rules that allow malicious traffic, disable existing protections, or create backdoors for future access. Deleting firewall policies altogether removes a critical layer of defense, potentially exposing internal resources to external threats. This activity is typically conducted after gaining initial access to the Azure environment through compromised credentials or other means. Monitoring for unauthorized changes to firewall policies is critical for maintaining network security and preventing potential data breaches or service disruptions.

Attack Chain

1. The attacker gains initial access to the Azure environment, possibly through compromised credentials or a vulnerability in a deployed application.
2. The attacker enumerates existing Azure Network Firewall Policies using Azure CLI or PowerShell commands.
3. The attacker identifies a firewall policy to modify or delete to achieve their objectives.
4. If modifying, the attacker uses commands such as Set-AzNetworkFirewallPolicy or the Azure portal to alter the policy rules, potentially adding permissive rules or disabling existing restrictions.
5. If deleting, the attacker uses commands such as Remove-AzNetworkFirewallPolicy or the Azure portal to remove the firewall policy entirely.
6. The changes are applied to the Azure Network Firewall, impacting network traffic filtering.
7. The attacker validates the effectiveness of the modified or deleted policy by testing network connectivity to previously protected resources.
8. The attacker proceeds to exploit the newly exposed resources for data exfiltration, lateral movement, or other malicious activities.

Impact

Successful modification or deletion of Azure Network Firewall policies can lead to significant security breaches. Attackers may be able to bypass network segmentation, gain unauthorized access to sensitive data, disrupt critical services, or deploy malicious code within the network. The impact can range from data theft and financial loss to reputational damage and regulatory penalties. The number of affected resources depends on the scope of the compromised firewall policy and the attacker’s subsequent actions.

Recommendation

• Implement the Sigma rule “Azure Network Firewall Policy Modified or Deleted” to detect unauthorized changes to firewall policies (logsource: azure, service: activitylogs).
• Review user identities and user agents associated with detected events to determine if the changes were made by authorized personnel or malicious actors, as detailed in the false positives section.
• Enable multi-factor authentication (MFA) for all Azure accounts to reduce the risk of credential compromise.
• Enforce the principle of least privilege by granting users only the necessary permissions to manage firewall policies.
• Implement continuous monitoring and alerting for all Azure resources, including network firewalls, to detect suspicious activity and potential security breaches.

]]>mediumadvisoryattack.impactattack.defense-impairmentattack.t1686.001