{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/indicator_removal/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon S3"],"_cs_severities":["low"],"_cs_tags":["cloud","aws","s3","defense_evasion","indicator_removal"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eAttackers can abuse Amazon S3 lifecycle rules, which automatically delete or transition objects after a set period, to cover their tracks. By configuring auto-deletion of logs, forensic evidence, or sensitive objects, adversaries can hinder investigations and maintain operational secrecy. This activity is detected by monitoring the use of the \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e or \u003ccode\u003ePutBucketLifecycleConfiguration\u003c/code\u003e APIs with Expiration parameters. While legitimate administrators may use these configurations for cost management or retention policies, malicious use indicates potential defense evasion, particularly when applied to buckets containing audit, CloudTrail, or application logs. The original rule was created on 2024/04/12 and updated on 2026/04/10 by Elastic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an S3 bucket containing valuable data, such as logs, audit trails, or forensic evidence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or SDK to execute the \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e or \u003ccode\u003ePutBucketLifecycleConfiguration\u003c/code\u003e API, setting an expiration policy.\u003c/li\u003e\n\u003cli\u003eThe expiration policy is configured with a short expiration period (e.g., 1 day) and applies to the entire bucket or specific prefixes (e.g., \u003ccode\u003e/logs/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker enables the lifecycle policy to automatically delete objects after the defined expiration period.\u003c/li\u003e\n\u003cli\u003eObjects within the S3 bucket are silently and automatically deleted according to the configured lifecycle policy.\u003c/li\u003e\n\u003cli\u003eInvestigators attempting to analyze the attacker's actions find that critical data is missing due to the expiration policy.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully evades detection and hinders forensic analysis by removing evidence of their malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the deletion of critical security logs, audit trails, and forensic evidence stored in Amazon S3 buckets. This can severely impede incident response efforts, making it difficult or impossible to determine the scope and impact of a security breach. Organizations relying on S3 for compliance purposes may also face regulatory penalties due to the loss of required audit data. The severity depends on the type of data lost and the organization's reliance on that data for security and operational purposes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS S3 Bucket Expiration Lifecycle Configuration Added\u0026quot; to detect the use of \u003ccode\u003ePutBucketLifecycle\u003c/code\u003e or \u003ccode\u003ePutBucketLifecycleConfiguration\u003c/code\u003e APIs with Expiration parameters in your AWS environment.\u003c/li\u003e\n\u003cli\u003eImplement AWS Config rules like \u003ccode\u003es3-bucket-lifecycle-configuration-check\u003c/code\u003e to monitor lifecycle changes.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003es3:PutLifecycleConfiguration\u003c/code\u003e IAM permissions to specific administrative roles to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnable S3 Object Lock on log or evidence buckets to enforce immutability and prevent deletion, referencing the \u0026quot;S3 Object Lock\u0026quot; documentation.\u003c/li\u003e\n\u003cli\u003eReview CloudTrail logs for \u003ccode\u003eDeleteObject\u003c/code\u003e, \u003ccode\u003ePutBucketPolicy\u003c/code\u003e, \u003ccode\u003ePutBucketAcl\u003c/code\u003e, or \u003ccode\u003ePutBucketLogging\u003c/code\u003e events around the same time as the lifecycle configuration change, as these may indicate attempts to disable visibility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-04-s3-bucket-expiration/","summary":"An adversary may add an expiration lifecycle configuration to an Amazon S3 bucket to automatically delete logs, forensic evidence, or sensitive objects, detected via the PutBucketLifecycle or PutBucketLifecycleConfiguration APIs with Expiration parameters.","title":"AWS S3 Bucket Expiration Lifecycle Configuration Added for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-04-s3-bucket-expiration/"}],"language":"en","title":"CraftedSignal Threat Feed - Indicator_removal","version":"https://jsonfeed.org/version/1.1"}