administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the sequence of events is not part of a legitimate operation before taking action.

Techniques

T1485

Sample rules

Potential AWS S3 Bucket Ransomware Note Uploaded

source: elastic
technicques:
- T1485

Description

Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call with a common ransomware note file extension such as .ransom, or .lock. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.

Detection logic

from logs-aws.cloudtrail-*

// any successful uploads via S3 API requests
| where
  event.dataset == "aws.cloudtrail"
  and event.provider == "s3.amazonaws.com"
  and event.action == "PutObject"
  and event.outcome == "success"

// extract object key from API request parameters
| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{Esql.aws_cloudtrail_request_parameters_object_key}}"

// regex match against common ransomware naming patterns
| where
  Esql.aws_cloudtrail_request_parameters_object_key rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
  and not Esql.aws_cloudtrail_request_parameters_object_key rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"

// keep relevant ECS and derived fields
| keep
  tls.client.server_name,
  aws.cloudtrail.user_identity.arn,
  Esql.aws_cloudtrail_request_parameters_object_key

// aggregate by server name, actor, and object key
| stats
    Esql.event_count = count(*)
  by
    tls.client.server_name,
    aws.cloudtrail.user_identity.arn,
    Esql.aws_cloudtrail_request_parameters_object_key

// filter for rare single uploads (likely test/detonation)
| where Esql.event_count == 1