AWS S3 Object Versioning Suspended

 1[metadata]
 2creation_date = "2024/07/12"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/08/02"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary's attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted. 
11"""
12false_positives = [
13    """
14    Administrators within an AWS Organization structure may legitimately suspend object versioning. Ensure that this behavior is not part of a legitimate operation before taking action.
15    """,
16]
17from = "now-6m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "AWS S3 Object Versioning Suspended"
22note = """
23
24## Triage and Analysis
25
26### Investigating AWS S3 Object Versioning Suspended
27
28This rule detects when object versioning for an S3 bucket is suspended. Adversaries with access to a misconfigured S3 bucket may disable object versioning prior to replacing or deleting S3 objects, inhibiting recovery initiatives.
29This rule uses [EQL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-eql-rule) to look for use of the `PutBucketVersioning` operation where the `request_parameters` include `Status=Suspended`.
30
31#### Possible Investigation Steps:
32
33- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.
34- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
35- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.
36- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.
37- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.
38
39### False Positive Analysis:
40
41- **Legitimate Administrative Actions**: Confirm if the action aligns with legitimate administrative tasks documented in change management systems.
42- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
43
44### Response and Remediation:
45
46- **Immediate Review**: If the activity was unauthorized, search for replaced or deleted objects and review the bucket's access logs for any suspicious activity.
47- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.
48- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.
49- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
50
51### Additional Information:
52
53For further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:
54- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)
55- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)
56"""
57references = [
58    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html/",
59    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html/",
60    "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation/",
61    "https://www.invictus-ir.com/news/ransomware-in-the-cloud/",
62    "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/",
63]
64risk_score = 47
65rule_id = "30b5bb96-c7db-492c-80e9-1eab00db580b"
66severity = "medium"
67tags = [
68    "Domain: Cloud",
69    "Data Source: AWS",
70    "Data Source: Amazon Web Services",
71    "Data Source: AWS S3",
72    "Use Case: Threat Detection",
73    "Tactic: Impact",
74]
75timestamp_override = "event.ingested"
76type = "eql"
77
78query = '''
79any where event.dataset == "aws.cloudtrail" 
80   and event.action == "PutBucketVersioning"
81   and event.outcome == "success" 
82   and stringContains(aws.cloudtrail.request_parameters, "Status=Suspended")
83'''
84
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1490"
90name = "Inhibit System Recovery"
91reference = "https://attack.mitre.org/techniques/T1490/"
92
93
94[rule.threat.tactic]
95id = "TA0040"
96name = "Impact"
97reference = "https://attack.mitre.org/tactics/TA0040/"