Potential AWS S3 Bucket Ransomware Note Uploaded

  1[metadata]
  2creation_date = "2024/04/17"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
  6min_stack_version = "8.13.0"
  7updated_date = "2024/10/09"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call
 13with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to
 14a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
 15"""
 16false_positives = [
 17    """
 18    Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of
 19    events is not part of a legitimate operation before taking action.
 20    """,
 21]
 22from = "now-9m"
 23language = "esql"
 24license = "Elastic License v2"
 25name = "Potential AWS S3 Bucket Ransomware Note Uploaded"
 26note = """
 27
 28## Triage and Analysis
 29
 30### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded
 31
 32This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
 33
 34#### Possible Investigation Steps:
 35
 36- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
 37- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
 38- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 39- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
 40- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.
 41- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
 42- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.
 43
 44### False Positive Analysis:
 45
 46- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.
 47- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 48- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.
 49
 50### Response and Remediation:
 51
 52- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.
 53- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.
 54- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
 55- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
 56- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 57
 58### Additional Information:
 59
 60For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:
 61- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)
 62- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)
 63- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)
 64"""
 65references = [
 66    "https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf",
 67    "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/",
 68    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/",
 69]
 70risk_score = 47
 71rule_id = "7fda9bb2-fd28-11ee-85f9-f661ea17fbce"
 72setup = "AWS S3 data types need to be enabled in the CloudTrail trail configuration."
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Data Source: AWS",
 77    "Data Source: Amazon Web Services",
 78    "Data Source: AWS S3",
 79    "Use Case: Threat Detection",
 80    "Tactic: Impact",
 81]
 82timestamp_override = "event.ingested"
 83type = "esql"
 84
 85query = '''
 86from logs-aws.cloudtrail-*
 87
 88// any successful uploads via S3 API requests
 89| where event.dataset == "aws.cloudtrail"
 90    and event.provider == "s3.amazonaws.com"
 91    and event.action == "PutObject"
 92    and event.outcome == "success"
 93
 94// abstract object name from API request parameters
 95| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}"
 96
 97// regex on common ransomware note extensions
 98| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
 99    and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"
100
101// keep relevant fields
102| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name
103
104// aggregate by S3 bucket, resource and object name
105| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name
106
107// filter for single occurrence to eliminate common upload operations
108| where note_upload_count == 1
109'''
110
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1485"
116name = "Data Destruction"
117reference = "https://attack.mitre.org/techniques/T1485/"
118
119
120[rule.threat.tactic]
121id = "TA0040"
122name = "Impact"
123reference = "https://attack.mitre.org/tactics/TA0040/"