Detectionmediumtest

AWS S3 Bucket Versioning Disable

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sean Johnstone | Unit 42Created Sat Oct 28a136ac98-b2bc-4189-a14d-f0d0388e57a7cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: s3.amazonaws.com
        eventName: PutBucketVersioning
        requestParameters|contains: 'Suspended'
    condition: selection

False Positives

AWS administrator legitimately disabling bucket versioning

References

Resolving title…

invictus-ir.medium.com

MITRE ATT&CK

Tactics

TA0040 · Impact

Techniques

T1490 · Inhibit System Recovery

Rule Metadata

Rule ID

a136ac98-b2bc-4189-a14d-f0d0388e57a7

Status

test

Level

medium

Type

Detection

Created

Sat Oct 28

Author

Sean Johnstone | Unit 42

Path

rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml

Raw Tags

attack.impactattack.t1490

View on GitHub