Enumerate Waf Rules (aws)
| Platform | Author | Last Update |
|---|---|---|
| aws | Nick Jones | 2024-12-02 |
An attacker may attempt to enumerate the rulesets applied to any configured WAFs, to aid further exploitation of applications
MITRE IDs
Required Permissions
- wafv2:ListWebACLs
Required Parameters
None
Attacker Action
aws waf list-web-aclsDetection Case
ELK query
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:ListWebACLs AND eventSource:waf.amazonaws.comSigma Definition
---title: Enumerate WAF Rulesid: c5dc6f58-05f1-48ae-8b39-1c441729517bstatus: experimentalauthor: Nick Jonesdate: 2024-12-02description: An attacker may attempt to enumerate the rulesets applied to any configured WAFs, to aid further exploitation of applicationslogsource: service: cloudtraildetection: selection_source: - eventSource: "waf.amazonaws.com" events: - eventName: "ListWebACLs" condition: selection_source and eventslevel: lowtags: - attack.T1518.001
falsepositives: - Developers making legitimate changes to the environment. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.