AWS SAML Provider Deletion Activity

hello@craftedsignal.io — Thu, 19 Dec 2024 00:00:00 +0000

The deletion of a SAML provider in AWS can be a significant indicator of malicious activity. An attacker who has gained initial access to an AWS environment may attempt to remove the SAML provider used by the information security team or system administrators. This action can severely impede the team’s ability to investigate and respond to ongoing attacks. By disrupting access, the attacker gains a window of opportunity to further escalate privileges, move laterally within the environment, and achieve their objectives without immediate detection or intervention. This activity directly impacts the availability and integrity of resources within the AWS cloud environment.

Attack Chain

Initial access is gained to an AWS account through compromised credentials or other means (T1078.004).
The attacker enumerates existing IAM resources, including SAML providers, using AWS CLI or API calls.
The attacker identifies the SAML provider used by administrative or security teams.
The attacker executes the DeleteSAMLProvider API call via the AWS CLI, API, or AWS Management Console (T1531).
The DeleteSAMLProvider event is logged in AWS CloudTrail with a “success” status.
Administrative and security teams lose access to AWS resources that require SAML authentication.
The attacker leverages the compromised account to escalate privileges, create new IAM users, or modify existing policies.
The attacker persists in the environment, potentially exfiltrating data or deploying malicious workloads (T1485).

Impact

The deletion of an AWS SAML provider can have serious consequences. It disrupts access for administrators and security personnel, delaying incident response and potentially allowing attackers to further compromise the environment. This can lead to data breaches, service disruptions, and financial losses. The severity of the impact depends on the criticality of the affected AWS resources and the speed of detection and recovery.

Recommendation

Deploy the Sigma rule “AWS SAML Provider Deletion Activity” to your SIEM and tune for your environment to detect this specific event.
Investigate any DeleteSAMLProvider events in AWS CloudTrail, focusing on the user identity, user agent, and source IP address (logsource: aws/cloudtrail).
Implement multi-factor authentication (MFA) for all IAM users, especially those with administrative privileges, to reduce the risk of credential compromise (T1110).
Review and enforce the principle of least privilege for all IAM roles and users to limit the impact of compromised credentials.

Detection of Azure Application Deletion

hello@craftedsignal.io — Wed, 03 Jan 2024 15:27:00 +0000

This detection focuses on identifying instances where an application is deleted within an Azure environment. While legitimate application deletions occur as part of IT administration, malicious actors might delete applications to disrupt services, remove evidence of their presence, or prepare for a larger attack by removing security controls or access points. This activity is logged within Azure Activity Logs and includes events such as “Delete application” and “Hard Delete application”. Monitoring these events can provide early warning of potential security incidents or compliance violations.

Attack Chain

Initial Access: An attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in an application.
Privilege Escalation (Optional): The attacker escalates their privileges within the Azure environment to gain sufficient permissions to manage and delete applications.
Reconnaissance: The attacker identifies target applications for deletion, potentially those critical for business operations or those used for security controls.
Disable Monitoring (Optional): The attacker attempts to disable logging or monitoring related to application management to avoid detection.
Application Deletion: The attacker initiates the deletion of the targeted application using the Azure portal, Azure CLI, or PowerShell.
Confirmation/Hard Delete: Depending on the application’s configuration and Azure policies, the attacker may need to confirm the deletion or perform a “hard delete” to permanently remove the application.
Cover Tracks: The attacker attempts to remove any remaining logs or traces of their activity to hinder forensic investigation.
Impact: Service disruption or data loss due to the deleted application.

Impact

The deletion of an Azure application can lead to significant service disruption, data loss, and potential financial damages. The impact depends on the criticality of the deleted application and the organization’s disaster recovery capabilities. Successful deletion can interrupt business processes, impacting both internal users and external customers. It may also lead to reputational damage and compliance violations if the application handled sensitive data.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect application deletion events in Azure Activity Logs.
Review user roles and permissions in Azure Active Directory (Entra ID) and enforce the principle of least privilege.
Implement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.
Enable auditing and logging for all Azure resources, including application management activities.
Investigate any detected application deletion events promptly to determine the root cause and potential impact.
Establish a process for reviewing and approving application deletion requests to prevent accidental or malicious deletions.

Deletion — CraftedSignal Threat Feed

AWS SAML Provider Deletion Activity

Attack Chain

Impact

Recommendation

Detection of Azure Application Deletion

Attack Chain

Impact

Recommendation