This alert triggers when a successful HTTP GET request targets a URL that ends with a set of specific file extensions that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old Log Files: .log, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the above-mentioned file extensions). File extensions can be added/removed and match conditions can be tuned to a lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for organizations which can result in a data and privacy breach. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when a possible brute force attack is performed against a login page. Brute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as; Account compromise, Privilege escalation, Data breach, Resource exhaustion, and Weakened security posture. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert triggers when the terminating rule mentioned in the logs is related to command injection or code injection attacks. Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Impact In Command Injection, the attacker extends the default functionality of the application, which executes system commands, without the necessity of injecting code. In a Code Injection attack, attackers can introduce (or inject) code into a computer program with this type of vulnerability. Mitigation Validate the requests intercepted by the WAF. If these seem suspicious, investigate further by examining the source IPs, requested URLs, etc. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert triggers when the terminating rule mentioned in the logs is about common vulnerability exploits. Impact Threat actors can gain initial access to a network by exploiting common vulnerabilities present in a web application. Mitigation Investigate further based on the mentioned CVE in the logs. MITRE Tactic: TA0001 MITRE Technique: T1190

'Summary This alert is activated when an AWS WAF log entry identifies a rule termination associated with Remote File Inclusion (RFI) attacks. RFI attacks exploit vulnerabilities in web applications by manipulating input parameters or file inclusion mechanisms. This allows attackers to include and execute malicious files hosted on external servers. The goal is to trick the web application into processing these remote files, potentially leading to unauthorized access or harmful actions. Impact Potential impact of RFI attacks include: - Arbitrary Code Execution: Attackers may execute arbitrary code on the server, which can lead to complete system compromise - Unauthorized Data Access: By exploiting RFI vulnerabilities, attackers can gain unauthorized access to sensitive data, exposing both user and organizational information to risk - System Compromise: The integrity and security of the entire system may be compromised, allowing attackers to manipulate or control system functionalities - Operational Disruption: RFI attacks can disrupt the normal functioning of the targeted application, leading to service outages or degraded performance - Data Breaches: Successful RFI attacks can result in data breaches, potentially exposing confidential data and violating compliance regulations - Reputational Damage: Incidents resulting from RFI attacks can damage the organization''s reputation, resulting in loss of customer trust and potential financial liabilities Mitigation Mitigation steps for RFI attacks include: - Request Validation: Carefully examine all requests flagged by AWS WAF for signs of RFI attack patterns. Focus on validating the legitimacy and integrity of each request to ensure they are not carrying malicious payloads - In-Depth Analysis: If a request appears suspicious, conduct a detailed investigation into its origins. Analyze the source IP addresses, requested URLs, and any other relevant metadata to trace the source and intent of the attack - Behavior Monitoring: Monitor for unusual request patterns or spikes in traffic from particular IPs or to specific URLs, which could indicate an ongoing or attempted RFI attack - Enhanced Filtering: Adjust WAF rules to strengthen filtering criteria based on the insights gained from the investigation, aiming to block similar future attempts more effectively - Security Patches and Updates: Ensure that all web applications are up-to-date with the latest security patches, particularly those that close vulnerabilities exploitable by RFI attacks MITRE Tactic: TA0001 MITRE Technique: T1190'

'Summary This alert is initiated when AWS WAF logs indicate that a rule associated with Local File Inclusion (LFI) has been triggered. LFI attacks exploit vulnerabilities in web applications that fail to properly validate or sanitize user input. This vulnerability allows attackers to manipulate file paths to include and execute files that are locally stored on the server. Such actions can lead to unauthorized access to sensitive files, execution of malicious scripts, or other compromising activities on the server. Impact Potential impact of LFI attacks include: - Unauthorized Disclosure: LFI attacks can result in the unauthorized disclosure of sensitive information stored on the server. This can include confidential data such as personal details, credentials, and internal configurations - Remote Code Execution: By exploiting LFI vulnerabilities, attackers may execute arbitrary code on the server. This can lead to further malicious activities, including additional exploits and malware deployment - Server Integrity Compromise: LFI attacks threaten the overall integrity of the server. Manipulation of local files can alter server behavior, disable services, or corrupt data and applications, potentially leading to prolonged downtime and operational disruption Mitigation Mitigation steps for LFI attacks include: - Request Validation: Closely inspect all requests flagged by AWS WAF for indications of LFI attack patterns. Scrutinize requests to identify any unusual or unauthorized attempts to access local files - Detailed Investigation: If a request raises suspicion, conduct an in-depth analysis. Examine source IP addresses, requested URLs, and any associated query parameters. Look for patterns or anomalies that could indicate manipulative behavior typical of LFI attacks - Enhanced Monitoring: Implement continuous monitoring for signs of manipulation or unusual access patterns. This should include real-time alerts for any access requests to sensitive or system-critical files - Rule Optimization: Regularly update and refine AWS WAF rules based on the latest threat intelligence and observed attack vectors. Ensure that rules are designed to detect and mitigate common and emerging LFI techniques - Security Best Practices: Enforce strict input validation, sanitization, and whitelisting of allowed files and directories to prevent unauthorized file inclusion. Ensure all software components are up-to-date with patches, particularly those that mitigate known vulnerabilities MITRE Tactic: TA0001 MITRE Technique: T1190'

This alert is triggered when an AWS WAF log entry indicates that a rule from the Fraud Control Account Takeover Prevention (ATP) managed rule group has terminated a request. The ATP managed rule group specifically targets and manages requests that show patterns potentially linked to malicious account takeover attempts. Account takeover refers to unauthorized access to a users account by an attacker, who may then engage in fraudulent activities such as financial theft, data breaches, or unauthorized transactions. Impact When an attacker gains unauthorized access to an account, the consequences can be severe and multi-faceted. Potential impact includes: - Financial Loss: Attackers may steal funds directly from the victimu2019s accounts or engage in unauthorized transactions that result in financial loss to the victim. - Identity Theft: The attacker may impersonate the victim to access and manipulate other accounts owned by the victim, further increasing the risk of financial and reputational damage. - Data Breach: Sensitive personal or organizational information may be accessed and exploited, leading to privacy violations and potential compliance issues. - Extended Fraud: By using the compromised account as a foothold, the attacker could potentially gain access to the accounts of others, including individuals and organizations connected to the initial victim, spreading the impact of the attack. Mitigation Upon triggering of this alert, follow these steps to mitigate potential risks and further assess the situation: - Request Validation: Thoroughly review and validate all requests intercepted by AWS WAF to ascertain if they exhibit suspicious patterns or anomalies. - Detailed Analysis: Investigate further by analyzing source IP addresses, requested URLs, and other relevant request metadata. Look for unusual activity or inconsistencies in the data. - Rule Correlation: Check if other AWS WAF rules were triggered around the same time to identify broader attack patterns or coordinated attack attempts. - Log Correlation: Enhance visibility and context by correlating AWS WAF logs with logs from other AWS services such as Amazon CloudFront. This can help in understanding the scope and method of the attack. - Immediate Containment: Implement containment measures such as blocking suspicious IP addresses or temporarily restricting access to vulnerable application features if an attack is confirmed. MITRE Tactic: TA0001 MITRE Technique: T1190"

'Summary This alert is activated when AWS WAF logs identify a terminating rule associated with cross-site scripting (XSS) attacks. Cross-Site Scripting (XSS) is a prevalent security threat where attackers inject malicious scripts into web pages viewed by other users. These attacks exploit vulnerabilities in web applications that fail to adequately sanitize user-supplied input. XSS can lead to a variety of harmful outcomes, including stealing cookies, session tokens, or other sensitive information from users, and manipulating or defacing the content of a web page. Impact Potential impact of suspected XSS attack include: - Unauthorized Script Execution: Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages. These scripts are then executed by the browsers of unsuspecting users who visit the compromised web page. Since the browser interprets these scripts as originating from a trusted source, it executes them without suspicion - Data Theft: The executed script can access any cookies, session tokens, and other sensitive information that the browser stores for that site. This allows attackers to steal identities, hijack sessions, or commit fraud by impersonating the user - Security and Privacy Breaches: Beyond stealing data, these scripts can also perform actions on behalf of the user, potentially leading to unauthorized transactions, data alterations, or privacy breaches. The impact extends to defacing the website, spreading malware, or propagating the attack to other users Mitigation Mitigation steps for suspected XSS attacks include: - Request Validation: Conduct thorough inspections of all requests intercepted by AWS WAF to identify potential XSS patterns. This includes looking for malicious scripts or anomalies in inputs that resemble script tags, JavaScript events, or other script-related content. - Detailed Investigation: For any requests flagged as suspicious, perform a comprehensive analysis. This should include examining the source IPs, the specific URLs requested, and the nature of any scripts or commands included in the requests. Investigate the context of the requests to better understand the attack vector. - Enhance XSS Defenses: Update and refine WAF rules specifically designed to detect and block XSS attacks. Regularly review these rules in response to emerging XSS techniques and vulnerabilities. - Content Security Policies: Implement stringent Content Security Policies (CSP) that restrict the sources from which scripts can be loaded. This reduces the risk of XSS attacks by only allowing scripts from trusted sources. - Input Sanitization: Ensure that all user inputs are properly sanitized before being processed by your applications. This should include encoding or escaping inputs where appropriate to prevent malicious data from being rendered as executable code. MITRE Tactic: TA0001 MITRE Technique: T1190'

'Summary This alert is activated when AWS WAF logs indicate a termination rule associated with SQL Injection attacks. SQL Injection is a critical security threat where an attacker attempts to interfere with the queries that an application makes to its database. Typically, it involves inserting or "injecting" malicious SQL statements into an entry field for execution, which can lead to unauthorized access, data theft, and manipulation of the database. This alert aims to detect and respond to such attempts to protect the application from potential breaches. Impact Potential impact of a suspected SQL Injection attempt include: - Identity Spoofing: SQL injection can allow attackers to impersonate legitimate users, gaining unauthorized access to sensitive information - Data Tampering: Attackers can alter or delete data, affecting integrity. This includes unauthorized changes to balances, voiding transactions, or modifying critical business data - Disclosure of Information: SQL injection may lead to complete exposure of all data stored in the database, including confidential and proprietary information - Denial of Service: By corrupting data or overwhelming the database with requests, attackers can render data unavailable, effectively causing a denial of service - Elevated Privileges: Attackers can potentially escalate their privileges within the system to that of a database administrator, gaining control over database management and operations Mitigation Mitigation steps for suspected SQL Injection attempt include: - Request Validation: Thoroughly examine all requests intercepted by AWS WAF for signs of SQL injection, such as unusual patterns or SQL syntax within user input fields - Detailed Investigation: For requests flagged as suspicious, conduct a deeper analysis. Investigate source IP addresses, requested URLs, and the specific query parameters involved. Identify any commonalities or trends that could indicate systematic attempts at SQL injection - Enhance Detection Rules: Continuously update and refine AWS WAF rules to detect and block SQL injection attempts more effectively. Use threat intelligence and known attack signatures to enhance rule accuracy - Use Parameterized Queries: Ensure that all database queries from your applications use parameterized queries or prepared statements, which are less vulnerable to SQL injection - Implement Least Privilege: Restrict database permissions to the minimum necessary for each application function. This limits the potential impact of a successful SQL injection attack - Regular Audits and Monitoring: Conduct regular security audits of your database and application environments. Monitor logs for unusual database queries or unauthorized access patterns, which can serve as early indicators of an attack MITRE Tactic: TA0001 MITRE Technique: T1190'

'Summary This alert is activated when AWS WAF logs identify a termination rule that is associated with remote code execution (RCE) attacks. Remote Code Execution attacks involve an attacker exploiting vulnerabilities within a web application to run malicious code on the server. This type of attack can compromise the server''s integrity, allowing the attacker to gain unauthorized access or control over the server. The alert aims to detect and mitigate such attempts to safeguard the application and its data. Impact Potential impact of suspected Remote Code Execution attempt include: Network Access through RCE: Exploitation of Remote Code Execution (RCE) vulnerabilities in web applications can provide threat actors with initial access to the network. Once inside, attackers can leverage this foothold to execute arbitrary commands, control system resources, install malware, or manipulate data, posing a critical security risk to the entire network infrastructure. Mitigation Mitigation steps for suspected Remote Code Execution attempt include: - Request Validation: Meticulously inspect all requests flagged by AWS WAF that could potentially be involved in a Remote Code Execution attempt. Pay particular attention to any payloads or parameters that contain executable code or scripts - Detailed Investigation: For any requests that raise suspicion, conduct a thorough investigation by examining the source IP addresses, requested URLs, and other relevant request details. Look for patterns that match known RCE techniques or anomalies that deviate from normal user behavior - Enhance Monitoring and Detection: Enhance your detection capabilities to better identify and respond to RCE attempts. Regularly update detection rules based on the latest threat intelligence and indicators of compromise associated with emerging RCE vulnerabilities - Security Hardening: Apply strict input validation and sanitization practices to reduce the risk of malicious code execution. Ensure that all software components, including web servers and applications, are up-to-date with the latest security patches - Incident Response Plan: Ensure that a robust incident response plan is in place that includes specific procedures for responding to RCE attacks. This plan should facilitate quick isolation of affected systems, preservation of evidence, and rapid remediation of vulnerabilities MITRE Tactic: TA0001 MITRE Technique: T1190'

This alert is triggered by a high volume of bot requests detected by AWS WAF. Bots are automated programs designed to perform tasks on networks by mimicking or replacing human behavior. While some bots, like search engine crawlers (e.g., Googlebot or Bingbot) and social media bots (e.g., Facebook Bot), are beneficial and enhance business operations, others pose significant threats. Malicious bots, such as those used for credential stuffing, web scraping, or spamming, can disrupt services, steal data, and degrade the user experience. This alert aims to identify and manage both beneficial and harmful bot traffic to protect and optimize web application performance. Impact Potential Impact of Excessive Bot Traffic: - Disruption of Operations: High volumes of bot requests can overwhelm web servers, potentially leading to slowed response times or even service outages. This disruption affects the normal operations of a business, impacting user experience and potentially resulting in lost revenue. - Data Theft: Malicious bots can be employed to extract confidential information from web applications. These bots may carry out sophisticated scraping operations to steal sensitive data, intellectual property, or competitive business information, posing a significant security threat. Mitigation Mitigation steps for excessive Bot Traffic include: - Identify the Bots Nature: Begin by categorizing the detected bot traffic. Use AWS WAF capabilities to differentiate between recognized 'good' bots (like search engine crawlers) and potentially malicious 'bad' bots. This identification is crucial for effective response strategies. - Further Investigation for Suspicious Bots: For bots not categorized as 'good,' initiate a detailed investigation. Analyze their behaviors, such as request patterns, frequency, and the type of data they access. Determine the potential threat and the botu2019s purpose. - Implement Bot Management Solutions: Employ advanced bot management solutions that include rate limiting, CAPTCHA challenges, and behavior analysis to effectively manage and mitigate unwanted bot traffic. - Enhance WAF Configurations: Adjust AWS WAF rules to more effectively detect and block suspicious bot activities. This might include updating rate limits or enhancing pattern recognition algorithms to better identify and differentiate between bot types. - Continuous Monitoring and Analysis: Maintain ongoing monitoring of traffic patterns to quickly detect and respond to new or evolving bot threats. Regularly review and refine control measures based on the latest bot activity and threat intelligence. MITRE Tactic: TA0042 MITRE Technique: T1583"

'Summary This alert is activated when an AWS WAF log entry points to a termination rule targeting activities associated with common vulnerability exploits. The alert identifies attempts to exploit known vulnerabilities within the network infrastructure, which may include SQL injections, cross-site scripting (XSS), or other well-documented security threats. The focus is on intercepting and addressing these exploit attempts to prevent potential security breaches Impact Exploitation of common vulnerabilities in web applications provides a gateway for threat actors to gain initial access to the network. This access can lead to further unauthorized activities, including data theft, system manipulation, or deeper network penetration, posing significant security risks to the organization. Mitigation Detailed CVE Investigation: Upon triggering of this alert, immediately investigate the specific Common Vulnerabilities and Exposures (CVE) referenced in the AWS WAF logs. Conduct a thorough analysis to understand the nature of the vulnerability, the affected systems, and the potential methods of exploitation. - Assess Vulnerability Impact: Evaluate the potential impact of the CVE on your environment. Determine which systems are vulnerable and the severity of the threat. - Patch Management: Prioritize and apply security patches or updates to the affected systems as recommended by the CVE advisories. Ensure that all software and systems are up-to-date with the latest security patches to mitigate the risk. - Enhance Monitoring and Controls: Increase surveillance and control measures around the affected systems. Adjust AWS WAF rules to detect and block exploit attempts more effectively. MITRE Tactic: TA0001 MITRE Technique: T1190'

This alert activates when AWS WAF logs indicate termination due to a rule associated with either command or code injection attacks. Code injection encompasses a variety of attack types where attackers inject malicious code into a web application, which is then executed by the application. This type of attack typically exploits the applications improper handling or sanitization of untrusted data. Command injection, a subset of code injection, specifically aims to execute arbitrary commands on the host system through a vulnerable application. Both forms of injection pose serious security threats, potentially allowing attackers to manipulate or gain control of affected systems. Impact Potential Impact of suspected code injection attempt: - Command Injection Impact: In command injection attacks, attackers exploit an application's existing functionalities to execute unauthorized system commands. This type of attack bypasses the need to inject new code, leveraging the applicationu2019s ability to access system commands directly. Such attacks can alter or disrupt system operations, steal data, or provide attackers with unauthorized access to underlying systems. - Code Injection Impact: Code injection allows attackers to introduce their own malicious code into a program. This code is then executed by the vulnerable application, potentially leading to data theft, system compromise, and the spread of malware. The introduced code can also create backdoors, allowing sustained access to the affected systems. Mitigation Mitigation steps for suspected code injection attempts include: - Request Validation: Rigorously inspect all requests flagged by AWS WAF that may involve code or command injection. Scrutinize the requests for unusual patterns or signatures that match known injection tactics. - In-depth Investigation: If a request appears suspicious, conduct a detailed analysis. Examine the source IP addresses, requested URLs, and any payload data associated with the request. Look for anomalies or patterns indicative of malicious intent, such as unusual commands or code snippets embedded within parameters. - Enhanced Monitoring: Increase monitoring capabilities to detect and alert on similar attempts more swiftly. Adjust WAF configurations to strengthen detection and prevention of both code and command injection attacks. - Security Best Practices: Ensure that all user inputs are properly sanitized and validated on both client-side and server-side applications to prevent executable code from being injected. Employ the principle of least privilege to limit what commands can be executed by any application. - Update and Patch: Regularly update and patch all systems to close vulnerabilities that could be exploited via code injection. Include application frameworks and dependencies in this regular maintenance. MITRE Tactic: TA0001 MITRE Technique: T1190"

'Summary This alert is triggered when the terminating rule in the logs identifies an IP address with a suspicious reputation. Impact Traffic from suspicious IP addresses poses significant risks, potentially leading to DDoS attacks, data breaches, brute force attempts, malware distribution, spamming, and resource depletion, all of which compromise both security and performance of organizational assets. Mitigation Review and validate all requests intercepted by the AWS WAF. If the requests appear suspicious, conduct a detailed investigation by analyzing the source IP addresses, requested URLs, and other relevant traffic patterns. Take appropriate action based on the findings. MITRE Tactic: TA0001 MITRE Technique: T1190'