{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/waf/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure Front Door WAF"],"_cs_severities":["low"],"_cs_tags":["azure","waf","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized or malicious deletion of Azure Front Door Web Application Firewall (WAF) policies. Azure Front Door WAF policies are critical security controls that protect web applications by filtering and monitoring HTTP requests, blocking malicious traffic and preventing exploitation of vulnerabilities. An adversary may delete these policies to bypass security measures, facilitating unauthorized access, data exfiltration, or other malicious activities. The deletion of a WAF policy can have a significant impact, potentially exposing web applications to a wide range of attacks, including SQL injection, cross-site scripting (XSS), and other web-based threats. Defenders should monitor for unexpected deletions of these policies and promptly investigate any such events. This brief provides guidance for detection engineers to identify and respond to this type of defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to an Azure account with sufficient privileges to manage Front Door WAF policies, possibly through compromised credentials or exploiting a privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing Front Door WAF policies to identify targets for disabling or deletion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker initiates the deletion of a Front Door WAF policy using the Azure portal, Azure CLI, or PowerShell. The specific operation name is \u0026quot;MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\u0026quot;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker may attempt to prevent detection by disabling logging or other security monitoring features within Azure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e With the WAF policy removed, web applications protected by the policy become vulnerable to a wide range of web-based attacks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Exploitation:\u003c/strong\u003e The attacker leverages the unprotected web applications to gain unauthorized access to sensitive data, deploy malware, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of a Front Door WAF policy can expose web applications to a variety of attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks. This can lead to data breaches, service disruptions, and reputational damage. The severity of the impact depends on the criticality of the protected applications and the sensitivity of the data they process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAzure Front Door WAF Policy Deleted\u003c/code\u003e to your SIEM to detect unauthorized WAF policy deletions by monitoring Azure activity logs.\u003c/li\u003e\n\u003cli\u003eEnable Azure Activity Log monitoring and ensure logs are ingested into your SIEM to provide the data source for the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement Role-Based Access Control (RBAC) with the principle of least privilege to restrict access to Azure management operations and minimize the risk of unauthorized policy modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified WAF policy deletion events by examining the associated user identity and the context of the deletion, as described in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/","summary":"Detection of Azure Front Door Web Application Firewall (WAF) policy deletion, which can indicate an attacker's attempt to evade defenses by removing a security layer protecting web applications.","title":"Azure Front Door WAF Policy Deletion Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS WAF"],"_cs_severities":["medium"],"_cs_tags":["aws","waf","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on the deletion of AWS Web Application Firewall (WAF) rules or rule groups. AWS WAF rules and rule groups are essential for protecting web applications by filtering malicious HTTP requests, blocking known attack patterns, and enforcing access controls. The deletion of these rules, even temporarily, can expose applications to significant risks, including SQL injection, cross-site scripting, and credential stuffing. Threat actors with sufficient permissions may remove WAF protections as part of a defense evasion or impact strategy, with the goal of data theft or application compromise. The focus is on detecting successful \u003ccode\u003eDeleteRule\u003c/code\u003e or \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e API calls within CloudTrail logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to an AWS account with sufficient permissions to modify WAF configurations. This could be achieved through compromised credentials or an IAM role with excessive privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e If the initial access lacks the necessary permissions, the attacker may attempt to escalate privileges within the AWS environment, potentially exploiting misconfigured IAM policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates existing WAF rules and rule groups within the targeted AWS account, identifying the rules that provide key protections for web applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker deletes a WAF rule or rule group using the \u003ccode\u003eDeleteRule\u003c/code\u003e or \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e API call, effectively disabling the protections it provided.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation:\u003c/strong\u003e With the WAF rule removed, the attacker exploits vulnerabilities in the web application that were previously protected by the rule. This could involve SQL injection, cross-site scripting, or other attack vectors.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Optional):\u003c/strong\u003e If the exploitation is successful, the attacker may exfiltrate sensitive data from the compromised web application or its backend systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, which could include data theft, application compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of WAF rules can have significant consequences, potentially affecting numerous web applications and their users. The number of affected applications and users depends on the scope of the deleted rules and the criticality of the protected applications. If an attack succeeds, organizations may experience data breaches, financial losses, reputational damage, and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging and monitor for \u003ccode\u003eDeleteRule\u003c/code\u003e and \u003ccode\u003eDeleteRuleGroup\u003c/code\u003e API calls to detect WAF rule deletions (reference: query in the source).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eAWS WAF Rule Deletion\u003c/code\u003e to identify suspicious WAF rule deletion activity (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eAWS WAF Rule Group Deletion\u003c/code\u003e to identify suspicious WAF rule group deletion activity (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eReview IAM policies to ensure that only authorized users and roles have permissions to modify WAF configurations.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AWS accounts, especially those with privileged access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-waf-deletion/","summary":"Detection of AWS WAF rule or rule group deletions, which can weaken web application security and expose applications to various attacks.","title":"AWS WAF Rule or Rule Group Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-waf-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS WAF","AWS WAF Classic","AWS WAF Regional","AWS WAFv2"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","waf","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of AWS Web Application Firewall (WAF) Web ACL deletion. AWS WAF protects web applications by filtering malicious HTTP/S traffic. A Web ACL acts as the central enforcement point, determining which traffic is inspected, allowed, or blocked. An attacker with sufficient privileges may delete a Web ACL to disable these protections. This action bypasses configured rules, protections, and logging, potentially leading to web-application compromise, data theft, or resource abuse. Because Web ACLs are critical security components, their deletion is rare and can signal malicious activity. This detection focuses on identifying successful \u003ccode\u003eDeleteWebACL\u003c/code\u003e events across WAF Classic, WAF Regional, and WAFv2 APIs in AWS CloudTrail logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS account with sufficient IAM permissions to manage WAF resources, potentially through compromised credentials or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the AWS environment using the compromised credentials or assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI, SDK, or Management Console to issue a \u003ccode\u003eDeleteWebACL\u003c/code\u003e API call targeting a specific Web ACL.\u003c/li\u003e\n\u003cli\u003eThe API call is successful, and the targeted Web ACL is removed from the AWS environment.\u003c/li\u003e\n\u003cli\u003eAll rules, protections, and logging configurations associated with the deleted Web ACL are immediately disabled.\u003c/li\u003e\n\u003cli\u003eWeb applications previously protected by the deleted Web ACL are now exposed to potentially malicious traffic without filtering or monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker may then exploit vulnerabilities in the exposed web applications to gain unauthorized access or steal sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of a Web ACL can have significant consequences. Applications previously protected by the Web ACL are exposed to direct exploitation. This could lead to web application compromise, data theft, or resource abuse. The number of affected applications depends on the scope of the deleted Web ACL. Successful exploitation can result in financial loss, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging for all regions to capture API activity related to WAF configurations and deletions. Use \u003ccode\u003edata_stream.dataset: aws.cloudtrail\u003c/code\u003e and \u003ccode\u003eevent.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)\u003c/code\u003e to filter logs (see query in this brief).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect unauthorized Web ACL deletions and tune it to your environment, accounting for authorized deletions during maintenance windows or IaC deployments.\u003c/li\u003e\n\u003cli\u003eRestrict IAM permissions for \u003ccode\u003ewaf:DeleteWebACL\u003c/code\u003e and \u003ccode\u003ewafv2:DeleteWebACL\u003c/code\u003e to a limited set of trusted roles, enforcing MFA for administrative access to prevent unauthorized deletions.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaccess_key_id\u003c/code\u003e in CloudTrail logs to identify the actor initiating the deletion and determine if the principal normally manages WAF resources (see investigation fields).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-waf-acl-deletion/","summary":"Detection of AWS Web Application Firewall (WAF) Web ACL deletion, which adversaries may perform to disable security controls, evade detection, and prepare for subsequent attacks, potentially leading to web-application compromise, data theft, or resource abuse.","title":"AWS WAF Access Control List Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-02-aws-waf-acl-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Waf","version":"https://jsonfeed.org/version/1.1"}