forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
109 lines (89 loc) · 5.84 KB
/
defense_evasion_s3_bucket_lifecycle_expiration_added.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
[metadata]
creation_date = "2024/04/12"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/09"
[rule]
author = ["Elastic"]
description = """
Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage
objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to
an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of
time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.
"""
false_positives = [
"""
Bucket components may be deleted or adjusted by a system or network administrator. Verify whether the user identity,
user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar
users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws.cloudtrail*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS S3 Bucket Expiration Lifecycle Configuration Added"
note = """
## Triage and Analysis
### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.
#### Detailed Investigation Steps
- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where the lifecycle configuration has been added.
- Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.
- **Analyze the Lifecycle Configuration**:
- **Expiration Policy**: Note the `Days` parameter under `Expiration` in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted.
- **Rule ID and Status**: Review the `ID` and `Status` of the lifecycle rule to understand its operational scope and activation status.
- **User Identity and Activity**:
- **User Details**: Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.
- **Authentication Details**: Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns.
- **Source IP and User Agent**:
- **Source IP Address**: The IP address (`source.ip`) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations.
- **User Agent**: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.
#### Possible Indicators of Compromise or Misuse
- **Frequent Changes**: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.
- **Unusual User Activity**: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.
### False Positive Analysis
- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.
### Response and Remediation
- **Immediate Review**: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.
- **Enhance Monitoring**: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.
- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.
### Additional Information
For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on [S3 Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html).
"""
references = [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html",
]
risk_score = 21
rule_id = "ff320c56-f8fa-11ee-8c44-f661ea17fbce"
setup = "This rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI."
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: Amazon S3",
"Use Case: Asset Visibility",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and
event.action: PutBucketLifecycle and event.outcome: success and
aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"