<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Indicator_removal - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/indicator_removal/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Apr 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/indicator_removal/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS S3 Bucket Expiration Lifecycle Configuration Added for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-04-s3-bucket-expiration/</link><pubDate>Mon, 29 Apr 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-04-s3-bucket-expiration/</guid><description>An adversary may add an expiration lifecycle configuration to an Amazon S3 bucket to automatically delete logs, forensic evidence, or sensitive objects, detected via the PutBucketLifecycle or PutBucketLifecycleConfiguration APIs with Expiration parameters.</description><content:encoded><![CDATA[<p>Attackers can abuse Amazon S3 lifecycle rules, which automatically delete or transition objects after a set period, to cover their tracks. By configuring auto-deletion of logs, forensic evidence, or sensitive objects, adversaries can hinder investigations and maintain operational secrecy. This activity is detected by monitoring the use of the <code>PutBucketLifecycle</code> or <code>PutBucketLifecycleConfiguration</code> APIs with Expiration parameters. While legitimate administrators may use these configurations for cost management or retention policies, malicious use indicates potential defense evasion, particularly when applied to buckets containing audit, CloudTrail, or application logs. The original rule was created on 2024/04/12 and updated on 2026/04/10 by Elastic.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account through compromised credentials or an exploited vulnerability.</li>
<li>The attacker identifies an S3 bucket containing valuable data, such as logs, audit trails, or forensic evidence.</li>
<li>The attacker uses the AWS CLI or SDK to execute the <code>PutBucketLifecycle</code> or <code>PutBucketLifecycleConfiguration</code> API, setting an expiration policy.</li>
<li>The expiration policy is configured with a short expiration period (e.g., 1 day) and applies to the entire bucket or specific prefixes (e.g., <code>/logs/</code>).</li>
<li>The attacker enables the lifecycle policy to automatically delete objects after the defined expiration period.</li>
<li>Objects within the S3 bucket are silently and automatically deleted according to the configured lifecycle policy.</li>
<li>Investigators attempting to analyze the attacker's actions find that critical data is missing due to the expiration policy.</li>
<li>The attacker successfully evades detection and hinders forensic analysis by removing evidence of their malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to the deletion of critical security logs, audit trails, and forensic evidence stored in Amazon S3 buckets. This can severely impede incident response efforts, making it difficult or impossible to determine the scope and impact of a security breach. Organizations relying on S3 for compliance purposes may also face regulatory penalties due to the loss of required audit data. The severity depends on the type of data lost and the organization's reliance on that data for security and operational purposes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS S3 Bucket Expiration Lifecycle Configuration Added&quot; to detect the use of <code>PutBucketLifecycle</code> or <code>PutBucketLifecycleConfiguration</code> APIs with Expiration parameters in your AWS environment.</li>
<li>Implement AWS Config rules like <code>s3-bucket-lifecycle-configuration-check</code> to monitor lifecycle changes.</li>
<li>Restrict <code>s3:PutLifecycleConfiguration</code> IAM permissions to specific administrative roles to prevent unauthorized modifications.</li>
<li>Enable S3 Object Lock on log or evidence buckets to enforce immutability and prevent deletion, referencing the &quot;S3 Object Lock&quot; documentation.</li>
<li>Review CloudTrail logs for <code>DeleteObject</code>, <code>PutBucketPolicy</code>, <code>PutBucketAcl</code>, or <code>PutBucketLogging</code> events around the same time as the lifecycle configuration change, as these may indicate attempts to disable visibility.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>s3</category><category>defense_evasion</category><category>indicator_removal</category></item></channel></rss>