{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1489/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["medium"],"_cs_tags":["azure","application","deletion","impact","t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where an application is deleted within an Azure environment. While legitimate application deletions occur as part of IT administration, malicious actors might delete applications to disrupt services, remove evidence of their presence, or prepare for a larger attack by removing security controls or access points. This activity is logged within Azure Activity Logs and includes events such as \u0026ldquo;Delete application\u0026rdquo; and \u0026ldquo;Hard Delete application\u0026rdquo;. Monitoring these events can provide early warning of potential security incidents or compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an Azure account, potentially through compromised credentials or exploiting a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates their privileges within the Azure environment to gain sufficient permissions to manage and delete applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies target applications for deletion, potentially those critical for business operations or those used for security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Monitoring (Optional):\u003c/strong\u003e The attacker attempts to disable logging or monitoring related to application management to avoid detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Deletion:\u003c/strong\u003e The attacker initiates the deletion of the targeted application using the Azure portal, Azure CLI, or PowerShell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfirmation/Hard Delete:\u003c/strong\u003e Depending on the application\u0026rsquo;s configuration and Azure policies, the attacker may need to confirm the deletion or perform a \u0026ldquo;hard delete\u0026rdquo; to permanently remove the application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCover Tracks:\u003c/strong\u003e The attacker attempts to remove any remaining logs or traces of their activity to hinder forensic investigation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e Service disruption or data loss due to the deleted application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of an Azure application can lead to significant service disruption, data loss, and potential financial damages. The impact depends on the criticality of the deleted application and the organization\u0026rsquo;s disaster recovery capabilities. Successful deletion can interrupt business processes, impacting both internal users and external customers. It may also lead to reputational damage and compliance violations if the application handled sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect application deletion events in Azure Activity Logs.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions in Azure Active Directory (Entra ID) and enforce the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eEnable auditing and logging for all Azure resources, including application management activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected application deletion events promptly to determine the root cause and potential impact.\u003c/li\u003e\n\u003cli\u003eEstablish a process for reviewing and approving application deletion requests to prevent accidental or malicious deletions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:27:00Z","date_published":"2024-01-03T15:27:00Z","id":"/briefs/2024-01-azure-app-deletion/","summary":"This alert identifies when an application is deleted within an Azure environment, which could indicate malicious activity or unintended misconfiguration leading to service disruption.","title":"Detection of Azure Application Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-app-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — T1489","version":"https://jsonfeed.org/version/1.1"}