Techniques
Sample rules
Potential AWS S3 Bucket Ransomware Note Uploaded
- source: elastic
- technicques:
- T1485
- T1486
Description
Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call with a common ransomware note file name or extension such as ransom or .lock. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
Detection logic
file where
event.dataset == "aws.cloudtrail" and
event.provider == "s3.amazonaws.com" and
event.action == "PutObject" and
event.outcome == "success" and
/* Apply regex to match patterns only after the bucket name */
aws.cloudtrail.resources.arn regex "arn:aws:s3:::[^/]+/.*?(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue).*" and
not aws.cloudtrail.resources.arn regex ".*(AWSLogs|CloudTrail|access-logs).*"