Techniques
Sample rules
Unusual AWS S3 Object Encryption with SSE-C
- source: elastic
- technicques:
- T1486
Description
Identifies when AWS S3 objects stored in a bucket are encrypted using Server-Side Encryption with Customer-Provided Keys (SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to extort the bucket owner for the decryption key. This is a New Terms rule that flags when this behavior is observed for the first time in the last 14 days by the user ARN and target bucket name.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "s3.amazonaws.com"
and event.action: "PutObject"
and event.outcome: "success"
and aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm: "AES256"
and aws.cloudtrail.flattened.additional_eventdata.SSEApplied: "SSE_C"
Excessive AWS S3 Object Encryption with SSE-C
- source: elastic
- technicques:
- T1486
Description
Identifies a high-volume of AWS S3 objects stored in a bucket using using Server-Side Encryption with Customer-Provided Keys (SSE-C). Adversaries with compromised AWS credentials can encrypt objects in an S3 bucket using their own encryption keys, rendering the objects unreadable or recoverable without the key. This can be used as a form of ransomware to extort the bucket owner for the decryption key. This is a Threshold rule that flags when this behavior is observed for a specific bucket more than 15 times in a short time-window.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "s3.amazonaws.com"
and event.action: "PutObject"
and event.outcome: "success"
and aws.cloudtrail.flattened.request_parameters.x-amz-server-side-encryption-customer-algorithm: "AES256"
and aws.cloudtrail.flattened.additional_eventdata.SSEApplied: "SSE_C"