Rules Contributing to Suspicious Modification of S3 Bucket Alert

The following rules are used to identify suspicious activity within S3 Bucket logs. Any one or more of these will trigger the Suspicious Modification of S3 Bucket Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS S3 Data Management Tampering

Detects when a user tampers with S3 data management in Amazon Web Services.

More details

Rule ID

aws_11

Query

{'selection': {'eventSource': 's3.amazonaws.com', 'eventName': ['PutBucketLogging', 'PutBucketWebsite', 'PutEncryptionConfiguration', 'PutLifecycleConfiguration', 'PutReplicationConfiguration', 'ReplicateObject', 'RestoreObject']}, 'condition': 'selection'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,78b3756a-7804-4ef7-8555-7b9024a02e2d

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0010, T1537

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/07/24	low	A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

AWS S3 Bucket Configuration Deletion

Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.

More details

Rule ID

aws_37

Query

{'selection1': {'eventSource': 's3.amazonaws.com'}, 'selection2': {'eventName': ['DeleteBucketPolicy', 'DeleteBucketReplication', 'DeleteBucketCors', 'DeleteBucketEncryption', 'DeleteBucketLifecycle']}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1070

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/05/27	low	Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Modification of AWS S3 Access Control List

This search detects modification of Access Control List of an S3 Bucket.

More details

Rule ID

aws_92

Query

{'selection2': {'eventSource': 's3.amazonaws.com'}, 'selection3': {'eventName': 'PutBucketAcl'}, 'condition': 'selection2 and selection3'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0009, T1530

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2021-07-19	medium	Unknown

AWS Defense Evasion PutBucketLifecycle

This analytic identifies `PutBucketLifecycle` events in CloudTrail logs where a user has created a new lifecycle rule for an S3 bucket with a short expiration period.

More details

Rule ID

aws_113

Query

{'selection1': {'eventSource': 's3.amazonaws.com'}, 'selection2': {'eventName': 'PutBucketLifecycle'}, 'selection3': {'userIdentity_type': 'IAMUser'}, 'selection4': {'errorCode': 'success'}, 'condition': 'selection1 and selection2 and selection3 and selection4'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562, T1562.008

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2022-07-25	medium	While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.