bucket components may be deleted or adjusted by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. bucket component deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1070
aws
elastic

Techniques

T1070

Sample rules

AWS S3 Bucket Expiration Lifecycle Configuration Added

source: elastic
technicques:
- T1070

Description

Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.

Detection logic

event.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and
    event.action: PutBucketLifecycle and event.outcome: success and
    aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)