Potential AWS S3 Bucket Ransomware Note Uploaded

  1[metadata]
  2creation_date = "2024/04/17"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/07/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call
 11with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured
 12S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
 13"""
 14false_positives = [
 15    """
 16    Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of
 17    events is not part of a legitimate operation before taking action.
 18    """,
 19]
 20from = "now-9m"
 21language = "esql"
 22license = "Elastic License v2"
 23name = "Potential AWS S3 Bucket Ransomware Note Uploaded"
 24note = """## Triage and analysis
 25
 26### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded
 27
 28This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
 29
 30#### Possible Investigation Steps:
 31
 32- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
 33- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
 34- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 35- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
 36- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.
 37- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
 38- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.
 39
 40### False Positive Analysis:
 41
 42- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.
 43- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 44- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.
 45
 46### Response and Remediation:
 47
 48- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.
 49- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.
 50- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
 51- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
 52- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 53
 54### Additional Information:
 55
 56For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:
 57- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)
 58- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)
 59- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)
 60"""
 61references = [
 62    "https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf",
 63    "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/",
 64    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/",
 65]
 66risk_score = 47
 67rule_id = "7fda9bb2-fd28-11ee-85f9-f661ea17fbce"
 68setup = "AWS S3 data types need to be enabled in the CloudTrail trail configuration."
 69severity = "medium"
 70tags = [
 71    "Domain: Cloud",
 72    "Data Source: AWS",
 73    "Data Source: Amazon Web Services",
 74    "Data Source: AWS S3",
 75    "Use Case: Threat Detection",
 76    "Tactic: Impact",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "esql"
 81
 82query = '''
 83from logs-aws.cloudtrail-*
 84
 85// any successful uploads via S3 API requests
 86| where
 87  event.dataset == "aws.cloudtrail"
 88  and event.provider == "s3.amazonaws.com"
 89  and event.action == "PutObject"
 90  and event.outcome == "success"
 91
 92// extract object key from API request parameters
 93| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{Esql.aws_cloudtrail_request_parameters_object_key}}"
 94
 95// regex match against common ransomware naming patterns
 96| where
 97  Esql.aws_cloudtrail_request_parameters_object_key rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
 98  and not Esql.aws_cloudtrail_request_parameters_object_key rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"
 99
100// keep relevant ECS and derived fields
101| keep
102  tls.client.server_name,
103  aws.cloudtrail.user_identity.arn,
104  Esql.aws_cloudtrail_request_parameters_object_key
105
106// aggregate by server name, actor, and object key
107| stats
108    Esql.event_count = count(*)
109  by
110    tls.client.server_name,
111    aws.cloudtrail.user_identity.arn,
112    Esql.aws_cloudtrail_request_parameters_object_key
113
114// filter for rare single uploads (likely test/detonation)
115| where Esql.event_count == 1
116'''
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1485"
123name = "Data Destruction"
124reference = "https://attack.mitre.org/techniques/T1485/"
125
126
127[rule.threat.tactic]
128id = "TA0040"
129name = "Impact"
130reference = "https://attack.mitre.org/tactics/TA0040/"