<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Waf - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/waf/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/waf/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure Front Door WAF Policy Deletion Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/</link><pubDate>Tue, 09 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-azure-frontdoor-waf-deletion/</guid><description>Detection of Azure Front Door Web Application Firewall (WAF) policy deletion, which can indicate an attacker's attempt to evade defenses by removing a security layer protecting web applications.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of unauthorized or malicious deletion of Azure Front Door Web Application Firewall (WAF) policies. Azure Front Door WAF policies are critical security controls that protect web applications by filtering and monitoring HTTP requests, blocking malicious traffic and preventing exploitation of vulnerabilities. An adversary may delete these policies to bypass security measures, facilitating unauthorized access, data exfiltration, or other malicious activities. The deletion of a WAF policy can have a significant impact, potentially exposing web applications to a wide range of attacks, including SQL injection, cross-site scripting (XSS), and other web-based threats. Defenders should monitor for unexpected deletions of these policies and promptly investigate any such events. This brief provides guidance for detection engineers to identify and respond to this type of defense evasion.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to an Azure account with sufficient privileges to manage Front Door WAF policies, possibly through compromised credentials or exploiting a privilege escalation vulnerability.</li>
<li><strong>Discovery:</strong> The attacker enumerates existing Front Door WAF policies to identify targets for disabling or deletion.</li>
<li><strong>Defense Evasion:</strong> The attacker initiates the deletion of a Front Door WAF policy using the Azure portal, Azure CLI, or PowerShell. The specific operation name is &quot;MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE&quot;.</li>
<li><strong>Persistence (Optional):</strong> The attacker may attempt to prevent detection by disabling logging or other security monitoring features within Azure.</li>
<li><strong>Impact:</strong> With the WAF policy removed, web applications protected by the policy become vulnerable to a wide range of web-based attacks.</li>
<li><strong>Further Exploitation:</strong> The attacker leverages the unprotected web applications to gain unauthorized access to sensitive data, deploy malware, or perform other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of a Front Door WAF policy can expose web applications to a variety of attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks. This can lead to data breaches, service disruptions, and reputational damage. The severity of the impact depends on the criticality of the protected applications and the sensitivity of the data they process.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Azure Front Door WAF Policy Deleted</code> to your SIEM to detect unauthorized WAF policy deletions by monitoring Azure activity logs.</li>
<li>Enable Azure Activity Log monitoring and ensure logs are ingested into your SIEM to provide the data source for the detection rule.</li>
<li>Implement Role-Based Access Control (RBAC) with the principle of least privilege to restrict access to Azure management operations and minimize the risk of unauthorized policy modifications.</li>
<li>Investigate any identified WAF policy deletion events by examining the associated user identity and the context of the deletion, as described in the overview.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>azure</category><category>waf</category><category>defense_evasion</category></item><item><title>AWS WAF Rule or Rule Group Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-aws-waf-deletion/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-aws-waf-deletion/</guid><description>Detection of AWS WAF rule or rule group deletions, which can weaken web application security and expose applications to various attacks.</description><content:encoded><![CDATA[<p>This threat brief focuses on the deletion of AWS Web Application Firewall (WAF) rules or rule groups. AWS WAF rules and rule groups are essential for protecting web applications by filtering malicious HTTP requests, blocking known attack patterns, and enforcing access controls. The deletion of these rules, even temporarily, can expose applications to significant risks, including SQL injection, cross-site scripting, and credential stuffing. Threat actors with sufficient permissions may remove WAF protections as part of a defense evasion or impact strategy, with the goal of data theft or application compromise. The focus is on detecting successful <code>DeleteRule</code> or <code>DeleteRuleGroup</code> API calls within CloudTrail logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to an AWS account with sufficient permissions to modify WAF configurations. This could be achieved through compromised credentials or an IAM role with excessive privileges.</li>
<li><strong>Privilege Escalation (Optional):</strong> If the initial access lacks the necessary permissions, the attacker may attempt to escalate privileges within the AWS environment, potentially exploiting misconfigured IAM policies.</li>
<li><strong>Discovery:</strong> The attacker enumerates existing WAF rules and rule groups within the targeted AWS account, identifying the rules that provide key protections for web applications.</li>
<li><strong>Defense Evasion:</strong> The attacker deletes a WAF rule or rule group using the <code>DeleteRule</code> or <code>DeleteRuleGroup</code> API call, effectively disabling the protections it provided.</li>
<li><strong>Exploitation:</strong> With the WAF rule removed, the attacker exploits vulnerabilities in the web application that were previously protected by the rule. This could involve SQL injection, cross-site scripting, or other attack vectors.</li>
<li><strong>Data Exfiltration (Optional):</strong> If the exploitation is successful, the attacker may exfiltrate sensitive data from the compromised web application or its backend systems.</li>
<li><strong>Impact:</strong> The attacker achieves their objective, which could include data theft, application compromise, or denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of WAF rules can have significant consequences, potentially affecting numerous web applications and their users. The number of affected applications and users depends on the scope of the deleted rules and the criticality of the protected applications. If an attack succeeds, organizations may experience data breaches, financial losses, reputational damage, and regulatory fines.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging and monitor for <code>DeleteRule</code> and <code>DeleteRuleGroup</code> API calls to detect WAF rule deletions (reference: query in the source).</li>
<li>Implement the Sigma rule <code>AWS WAF Rule Deletion</code> to identify suspicious WAF rule deletion activity (reference: Sigma rule below).</li>
<li>Implement the Sigma rule <code>AWS WAF Rule Group Deletion</code> to identify suspicious WAF rule group deletion activity (reference: Sigma rule below).</li>
<li>Review IAM policies to ensure that only authorized users and roles have permissions to modify WAF configurations.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts, especially those with privileged access.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>waf</category><category>defense-evasion</category><category>cloud</category></item><item><title>AWS WAF Access Control List Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-aws-waf-acl-deletion/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-aws-waf-acl-deletion/</guid><description>Detection of AWS Web Application Firewall (WAF) Web ACL deletion, which adversaries may perform to disable security controls, evade detection, and prepare for subsequent attacks, potentially leading to web-application compromise, data theft, or resource abuse.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of AWS Web Application Firewall (WAF) Web ACL deletion. AWS WAF protects web applications by filtering malicious HTTP/S traffic. A Web ACL acts as the central enforcement point, determining which traffic is inspected, allowed, or blocked. An attacker with sufficient privileges may delete a Web ACL to disable these protections. This action bypasses configured rules, protections, and logging, potentially leading to web-application compromise, data theft, or resource abuse. Because Web ACLs are critical security components, their deletion is rare and can signal malicious activity. This detection focuses on identifying successful <code>DeleteWebACL</code> events across WAF Classic, WAF Regional, and WAFv2 APIs in AWS CloudTrail logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to an AWS account with sufficient IAM permissions to manage WAF resources, potentially through compromised credentials or privilege escalation.</li>
<li>The attacker authenticates to the AWS environment using the compromised credentials or assumed role.</li>
<li>The attacker uses the AWS CLI, SDK, or Management Console to issue a <code>DeleteWebACL</code> API call targeting a specific Web ACL.</li>
<li>The API call is successful, and the targeted Web ACL is removed from the AWS environment.</li>
<li>All rules, protections, and logging configurations associated with the deleted Web ACL are immediately disabled.</li>
<li>Web applications previously protected by the deleted Web ACL are now exposed to potentially malicious traffic without filtering or monitoring.</li>
<li>The attacker may then exploit vulnerabilities in the exposed web applications to gain unauthorized access or steal sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of a Web ACL can have significant consequences. Applications previously protected by the Web ACL are exposed to direct exploitation. This could lead to web application compromise, data theft, or resource abuse. The number of affected applications depends on the scope of the deleted Web ACL. Successful exploitation can result in financial loss, reputational damage, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable AWS CloudTrail logging for all regions to capture API activity related to WAF configurations and deletions. Use <code>data_stream.dataset: aws.cloudtrail</code> and <code>event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)</code> to filter logs (see query in this brief).</li>
<li>Deploy the Sigma rule to detect unauthorized Web ACL deletions and tune it to your environment, accounting for authorized deletions during maintenance windows or IaC deployments.</li>
<li>Restrict IAM permissions for <code>waf:DeleteWebACL</code> and <code>wafv2:DeleteWebACL</code> to a limited set of trusted roles, enforcing MFA for administrative access to prevent unauthorized deletions.</li>
<li>Monitor <code>aws.cloudtrail.user_identity.arn</code> and <code>access_key_id</code> in CloudTrail logs to identify the actor initiating the deletion and determine if the principal normally manages WAF resources (see investigation fields).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>waf</category><category>defense-evasion</category></item></channel></rss>