AWS S3 Bucket Versioning Disable

 1title: AWS S3 Bucket Versioning Disable
 2id: a136ac98-b2bc-4189-a14d-f0d0388e57a7
 3status: experimental
 4description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
 5references:
 6    - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
 7author: Sean Johnstone | Unit 42
 8date: 2023/10/28
 9tags:
10    - attack.impact
11    - attack.t1490
12logsource:
13    product: aws
14    service: cloudtrail
15detection:
16    selection:
17        eventSource: s3.amazonaws.com
18        eventName: PutBucketVersioning
19        requestParameters|contains: 'Suspended'
20    condition: selection
21falsepositives:
22    - AWS administrator legitimately disabling bucket versioning
23level: medium

References

• Ransomware in the cloud

  We have moved this blog to our own website. This allows free access for everyone.

  
  Read More

Related rules

• Delete Volume Shadow Copies Via WMI With PowerShell
• Boot Configuration Tampering Via Bcdedit.EXE
• WannaCry Ransomware Activity
• Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
• New Root or CA or AuthRoot Certificate to Store