{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/resource-group/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","resource-group","deletion","impact"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe deletion of an Azure Resource Group is a significant event that can indicate malicious activity. A resource group acts as a container for Azure resources, and its deletion removes all contained resources permanently and irreversibly. An adversary may leverage resource group deletion to disrupt services, destroy data, or evade detection by eliminating evidence of their presence. This activity is often performed after other malicious actions, such as data exfiltration or system compromise, to cover tracks and maximize impact. This detection identifies the \u0026quot;MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\u0026quot; operation within Azure activity logs, focusing on successful deletion attempts. The scope of targeting is broad, as any Azure environment is susceptible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains unauthorized access to an Azure account or service principal with sufficient privileges.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if needed): The attacker escalates their privileges within the Azure environment to gain the ability to delete resource groups.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker identifies resource groups containing valuable data or critical services using Azure Resource Manager or similar tools.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker disables or modifies security tools and logging configurations to prevent detection of their activity (T1562.001).\u003c/li\u003e\n\u003cli\u003eData Destruction: The attacker initiates the deletion of the identified resource groups via the Azure portal, CLI, or API, using the \u003ccode\u003eMICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eInhibit System Recovery: The attacker deletes backups or snapshots associated with the resource groups to hinder recovery efforts (T1490).\u003c/li\u003e\n\u003cli\u003eService Stop: The deletion of the resource group terminates any services running within it, leading to service disruption (T1489).\u003c/li\u003e\n\u003cli\u003eImpact: The targeted services and data are permanently deleted, causing significant operational disruption and potential data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an Azure resource group can have severe consequences. It leads to the immediate and irreversible loss of all resources within the group, potentially impacting critical services, applications, and data. The number of affected users and the extent of the damage depend on the contents of the deleted resource group. Successful attacks can result in business interruption, data loss, reputational damage, and financial losses. The sectors most vulnerable are those heavily reliant on Azure services, including finance, healthcare, and technology.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Azure resource group deletion events using \u003ccode\u003edata_stream.dataset:azure.activitylogs\u003c/code\u003e and \u003ccode\u003eazure.activitylogs.operation_name:\u0026quot;MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for \u003ccode\u003eMICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\u003c/code\u003e events, focusing on the user identity associated with the deletion.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the ability to delete resource groups to only authorized personnel.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to security tools or logging configurations as described in technique T1562.001 before resource group deletion events.\u003c/li\u003e\n\u003cli\u003eCreate and regularly test backup and recovery procedures for Azure resources to mitigate the impact of accidental or malicious deletions (T1490).\u003c/li\u003e\n\u003cli\u003eInvestigate any unexpected or unauthorized resource group deletions immediately and thoroughly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:27:52Z","date_published":"2024-01-09T14:27:52Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-resource-group-deletion/","summary":"This rule detects the deletion of a resource group in Azure. Deleting a resource group permanently removes all resources within it, which adversaries may use to evade defenses or destroy data.","title":"Azure Resource Group Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-09-azure-resource-group-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Resource-Group","version":"https://jsonfeed.org/version/1.1"}