Skip to content

DeleteRuleGroup

AWS

DeleteRuleGroup

service: AWS - WAFV2
techniques:

Event

Permanently deletes a WAF rule group containing a set of web traffic filtering rules.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.

Log Source

CloudTrail

Sample Event

Adversarial. Draco deletes the BILLYWIG ingress rule group (billywig-public-ingress-rg) used by the public API edge before he attempts a credential-stuffing burst against /login. Removing the WAF rule group eliminates the rate-based and bot-control rules that would have throttled him. T1685.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T19:02:11Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:08:42Z",
"eventSource": "wafv2.amazonaws.com",
"eventName": "DeleteRuleGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "billywig-public-ingress-rg",
"scope": "REGIONAL",
"id": "60000000-0000-4000-8000-000011111100",
"lockToken": "a1b2c3d4-5678-90ab-cdef-1234567890ab"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000011111010",
"eventID": "90000000-0000-4000-8000-000011111011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "wafv2.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...