AWS Disable Bucket Versioning

Original Source: [splunk source]
Name:AWS Disable Bucket Versioning
id:657902a9-987d-4879-a1b2-e7a65512824b
version:5
date:2024-11-14
author:Bhavin Patel, Splunk
status:production
type:Anomaly
Description:The following analytic detects when AWS S3 bucket versioning is suspended by a user. It leverages AWS CloudTrail logs to identify `PutBucketVersioning` events with the `VersioningConfiguration.Status` set to `Suspended`. This activity is significant because disabling versioning can prevent recovery of deleted or modified data, which is a common tactic in ransomware attacks. If confirmed malicious, this action could lead to data loss and hinder recovery efforts, severely impacting data integrity and availability.
Data_source:
  • -AWS CloudTrail PutBucketVersioning
search:`cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended
| rename user_name as user, requestParameters.bucketName as bucket_name
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product bucket_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_disable_bucket_versioning_filter`

how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
known_false_positives:It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs.
References:
  -https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
   -https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
 drilldown_searches:
name:'View the detection results for - "$user$"'
search:'%original_detection_search% | search user = "$user$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$user$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Suspicious AWS S3 Activities'
    - 'Data Exfiltration'
  asset_type:AWS Account
  mitre_attack_id:
    - 'T1490'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:threat

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json
  sourcetype: aws:cloudtrail
  source: aws_cloudtrail
manual_test:None

Related Analytic Stories


Suspicious AWS S3 Activities

Data Exfiltration

© 2024 DetectionCode Website. All Rights Reserved.