administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the sequence of events is not part of a legitimate operation before taking action.

Techniques

T1485

Sample rules

Potential AWS S3 Bucket Ransomware Note Uploaded

source: elastic
technicques:
- T1485

Description

Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call with a common ransomware note file extension such as .ransom, or .lock. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.

Detection logic

from logs-aws.cloudtrail-*

// any successful uploads via S3 API requests
| where event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action == "PutObject"
    and event.outcome == "success"

// abstract object name from API request parameters
| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}"

// regex on common ransomware note extensions
| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
    and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"

// keep relevant fields
| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name

// aggregate by S3 bucket, resource and object name
| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name

// filter for single occurrence to eliminate common upload operations
| where note_upload_count == 1