AWS Defense Evasion PutBucketLifecycle

Try in Splunk Security Cloud

Description

This analytic identifies PutBucketLifecycle events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period. Attackers may use this API call to impair the CloudTrail logging by removing logs from the S3 bucket by changing the object expiration day to 1 day, in which case the CloudTrail logs will be deleted.

• Type: Hunting

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2022-07-25
• Author: Bhavin Patel
• ID: ce1c0e2b-9303-4903-818b-0d9002fc6ea4

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1562.008	Disable or Modify Cloud Logs	Defense Evasion

T1562

Impair Defenses

Defense Evasion

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success 
|  spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days 
|  spath path=requestParameters{}.bucketName output=bucket_name 
| stats count min(_time) as firstTime max(_time) as lastTime  by src region eventName userAgent user_arn aws_account_id expiration_days  bucket_name user_type
| `security_content_ctime(firstTime)` 
|  `security_content_ctime(lastTime)` 
| where expiration_days < 3 
| `aws_defense_evasion_putbucketlifecycle_filter`

Macros

The SPL above uses the following Macros:

• cloudtrail
• security_content_ctime

aws_defense_evasion_putbucketlifecycle_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• eventName
• eventSource
• requestParameters.name
• userAgent
• aws_account_id
• src
• region
• requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days
• requestParameters{}.bucketName

How To Implement

You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies.

Known False Positives

While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.

Associated Analytic Story

• AWS Defense Evasion

RBA

Risk Score	Impact	Confidence	Message
20.0	50	40	User $user_arn$ has created a new rule to on an S3 bucket $bucket_name$ with short expiration days

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1