sigmaDRL-1.1from SigmaHQ/sigma
AWS S3 Bucket Versioning Disable
Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml
title: AWS S3 Bucket Versioning Disable
id: a136ac98-b2bc-4189-a14d-f0d0388e57a7
status: test
description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
references:
- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
author: Sean Johnstone | Unit 42
date: 2023-10-28
tags:
- attack.impact
- attack.t1490
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: s3.amazonaws.com
eventName: PutBucketVersioning
requestParameters|contains: 'Suspended'
condition: selection
falsepositives:
- AWS administrator legitimately disabling bucket versioning
level: medium