/
aws_defense_evasion_putbucketlifecycle.yml
72 lines (72 loc) · 2.73 KB
/
aws_defense_evasion_putbucketlifecycle.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: AWS Defense Evasion PutBucketLifecycle
id: ce1c0e2b-9303-4903-818b-0d9002fc6ea4
version: 1
date: '2022-07-25'
author: Bhavin Patel
status: production
type: Hunting
description: This analytic identifies `PutBucketLifecycle` events in CloudTrail logs
where a user has created a new lifecycle rule for an S3 bucket with a short expiration
period. Attackers may use this API call to impair the CloudTrail logging by removing
logs from the S3 bucket by changing the object expiration day to 1 day, in which
case the CloudTrail logs will be deleted.
data_source:
- AWS CloudTrail PutBucketLifecycle
search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success
| spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days
output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name
| stats count min(_time) as firstTime max(_time) as lastTime by src region eventName
userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`'
how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in
your AWS Environment. We recommend our users to set the expiration days value according
to your company's log retention policies.
known_false_positives: While this search has no known false positives, it is possible
that it is a legitimate admin activity. Please consider filtering out these noisy
events using userAgent, user_arn field names.
references:
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
tags:
analytic_story:
- AWS Defense Evasion
asset_type: AWS Account
confidence: 40
impact: 50
message: User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$
with short expiration days
mitre_attack_id:
- T1562.008
- T1562
observable:
- name: src
type: IP Address
role:
- Attacker
- name: user_arn
type: User
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- eventSource
- requestParameters.name
- userAgent
- aws_account_id
- src
- region
- requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days
- requestParameters{}.bucketName
risk_score: 20
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true