Potential AWS S3 Bucket Ransomware Note Uploaded

Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call with a common ransomware note file extension such as .ransom, or .lock. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/04/17"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
  6min_stack_version = "8.13.0"
  7updated_date = "2024/10/09"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call
 13with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to
 14a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
 15"""
 16false_positives = [
 17    """
 18    Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of
 19    events is not part of a legitimate operation before taking action.
 20    """,
 21]
 22from = "now-9m"
 23language = "esql"
 24license = "Elastic License v2"
 25name = "Potential AWS S3 Bucket Ransomware Note Uploaded"
 26note = """
 27
 28## Triage and Analysis
 29
 30### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded
 31
 32This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
 33
 34#### Possible Investigation Steps:
 35
 36- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
 37- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
 38- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 39- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
 40- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.
 41- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
 42- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.
 43
 44### False Positive Analysis:
 45
 46- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.
 47- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 48- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.
 49
 50### Response and Remediation:
 51
 52- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.
 53- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.
 54- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
 55- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
 56- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 57
 58### Additional Information:
 59
 60For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:
 61- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)
 62- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)
 63- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)
 64"""
 65references = [
 66    "https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf",
 67    "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/",
 68    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/",
 69]
 70risk_score = 47
 71rule_id = "7fda9bb2-fd28-11ee-85f9-f661ea17fbce"
 72setup = "AWS S3 data types need to be enabled in the CloudTrail trail configuration."
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Data Source: AWS",
 77    "Data Source: Amazon Web Services",
 78    "Data Source: AWS S3",
 79    "Use Case: Threat Detection",
 80    "Tactic: Impact",
 81]
 82timestamp_override = "event.ingested"
 83type = "esql"
 84
 85query = '''
 86from logs-aws.cloudtrail-*
 87
 88// any successful uploads via S3 API requests
 89| where event.dataset == "aws.cloudtrail"
 90    and event.provider == "s3.amazonaws.com"
 91    and event.action == "PutObject"
 92    and event.outcome == "success"
 93
 94// abstract object name from API request parameters
 95| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}"
 96
 97// regex on common ransomware note extensions
 98| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
 99    and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"
100
101// keep relevant fields
102| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name
103
104// aggregate by S3 bucket, resource and object name
105| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name
106
107// filter for single occurrence to eliminate common upload operations
108| where note_upload_count == 1
109'''
110
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1485"
116name = "Data Destruction"
117reference = "https://attack.mitre.org/techniques/T1485/"
118
119
120[rule.threat.tactic]
121id = "TA0040"
122name = "Impact"
123reference = "https://attack.mitre.org/tactics/TA0040/"

Triage and Analysis

Investigating Potential AWS S3 Bucket Ransomware Note Uploaded

This rule detects the PutObject S3 API call with a common ransomware note file extension such as .ransom, or .lock. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.

Possible Investigation Steps:

  • Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
  • Review the Request Details: Examine the aws.cloudtrail.request_parameters to understand the specific details of the PutObject action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
  • Analyze the Source of the Request: Investigate the source.ip and source.geo fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
  • Contextualize with Timestamp: Use the @timestamp field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
  • Inspect the Ransom Note: Review the aws.cloudtrail.request_parameters for the PutObject action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as .txt, .note, .ransom, or .html.
  • Correlate with Other Activities: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
  • Check for Object Deletion or Access: Look for DeleteObject, DeleteObjects, or GetObject API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.

False Positive Analysis:

  • Legitimate Administrative Actions: Confirm if the PutObject action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.
  • Consistency Check: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
  • Verify through Outcomes: Check the aws.cloudtrail.response_elements and the event.outcome to confirm if the upload was successful and intended according to policy.

Response and Remediation:

  • Immediate Review and Reversal if Necessary: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.
  • Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar PutObject actions, especially those involving sensitive data or unusual file extensions.
  • Educate and Train: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
  • Audit S3 Bucket Policies and Permissions: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
  • Incident Response: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.

Additional Information:

For further guidance on managing S3 bucket security and protecting against ransomware, refer to the AWS S3 documentation and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:

References

Related rules

to-top