Detect Lifecycle-Triggered Deletion in Google Chronicle
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets allow users to set lifecycle policies to automate migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they can apply a rule that expires all objects within one day, achieving large-scale data destruction without issuing explicit delete commands. In AWS environments, an adversary with the s3:PutLifecycleConfiguration permission may invoke the PutBucketLifecycle API call to set a short-expiry deletion rule across an entire bucket. Adversaries have also exploited this mechanism against CloudTrail log storage buckets to destroy audit evidence alongside operational data, combining data destruction with indicator removal. Similar capabilities exist in Azure Blob Storage lifecycle management policies and GCP Storage object lifecycle management.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Sub-technique
- T1485.001 Lifecycle-Triggered Deletion
- Canonical reference
- https://attack.mitre.org/techniques/T1485/001/
YARA-L Detection Query
rule t1485_001_lifecycle_triggered_deletion {
meta:
author = "Detection Engineering"
description = "Detects AWS S3 PutBucketLifecycle/PutBucketLifecycleConfiguration API calls and Azure Blob Storage managementpolicies/write operations that may enable lifecycle-triggered mass data destruction (T1485.001 - Data Destruction: Lifecycle-Triggered Deletion)"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1485.001"
severity = "HIGH"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1485/001/"
created = "2026-04-13"
events:
(
(
$e.metadata.vendor_name = "AMAZON" and
$e.metadata.product_name = "AWS CloudTrail" and
(
$e.metadata.product_event_type = "PutBucketLifecycle" or
$e.metadata.product_event_type = "PutBucketLifecycleConfiguration"
) and
$e.target.resource.resource_type = "STORAGE_BUCKET"
) or
(
$e.metadata.vendor_name = "MICROSOFT" and
$e.metadata.product_name = "Azure Activity" and
re.regex($e.metadata.product_event_type, `(?i)managementpolicies.*write`) and
$e.security_result.action = "ALLOW"
)
)
$e.principal.user.userid = $actor
condition:
$e
}Google Chronicle YARA-L 2.0 rule detecting S3 lifecycle policy modification events and Azure Blob Storage management policy writes via UDM normalization. Requires AWS CloudTrail and Azure Activity Log feeds to be ingested and normalized into Chronicle UDM. The rule matches on metadata.product_event_type for exact S3 API call names and regex-matches the Azure operation name pattern. The short-expiry threshold check (<=7 days) cannot be natively expressed in YARA-L 2.0 without a reference list or UDM field that stores a parsed numeric value; consider enriching the Chronicle ingestion pipeline to promote the expiration day count into a UDM extension field and add it as an additional events predicate.
Data Sources
Required Tables
False Positives & Tuning
- Authorized platform engineering lifecycle changes: teams managing S3 storage classes and expiry configurations as part of FinOps cost reduction programs routinely invoke PutBucketLifecycleConfiguration in bulk across all accounts in an AWS Organization.
- Azure Policy remediation tasks: Azure Policy assignments enforcing lifecycle management policies will write managementpolicies on all non-compliant storage accounts during remediation sweeps, generating many simultaneous ALLOW events from the policy service principal.
- IaC pipeline application of Terraform storage modules: every Terraform apply that includes an aws_s3_bucket_lifecycle_configuration resource will invoke PutBucketLifecycleConfiguration regardless of whether the policy content changed, including no-op plan runs.
- Data retention and archival automation services: AWS-native services (Backup, Data Lifecycle Manager) and third-party archival platforms (Veeam, Cohesity) invoke S3 lifecycle APIs as part of normal archival policy enforcement workflows.
Other platforms for T1485.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Apply 1-Day Deletion Lifecycle to S3 Bucket
Expected signal: AWS CloudTrail management event: EventName=PutBucketLifecycleConfiguration, EventSource=s3.amazonaws.com, requestParameters.bucketName=<BUCKET_NAME>. The requestParameters will contain the lifecycle JSON with Days=1 and empty Prefix. Sentinel AWSCloudTrail table: TimeGenerated, UserIdentityArn, EventName=PutBucketLifecycleConfiguration, SourceIpAddress, UserAgent=aws-cli.
- Test 2Apply Lifecycle Deletion to CloudTrail Log Delivery Bucket
Expected signal: Two CloudTrail events: (1) DescribeTrails (readonly) showing reconnaissance step, (2) PutBucketLifecycleConfiguration against the CloudTrail log bucket. The combination of DescribeTrails immediately followed by PutBucketLifecycleConfiguration on the trail's S3 bucket is a high-fidelity indicator in the Sentinel hunting query 2.
- Test 3Azure Blob Storage Lifecycle Management Policy — Short Expiry
Expected signal: Azure Activity Log event: OperationName=microsoft.storage/storageaccounts/managementpolicies/write, ActivityStatus=Succeeded, Caller=<UPN or service principal>, CallerIpAddress=<source IP>, ResourceId includes the storage account name. Event appears in Sentinel AzureActivity table within 5-15 minutes of execution.
- Test 4Enumerate S3 Buckets and Apply Bulk Lifecycle Deletion (Multi-Bucket Ransomware Simulation)
Expected signal: Multiple PutBucketLifecycleConfiguration CloudTrail events in rapid succession, all with the same UserIdentityArn and SourceIpAddress, targeting different S3 buckets. Also generates a ListBuckets event immediately prior. This burst pattern (N lifecycle events in <5 minutes from single actor) is highly anomalous and directly triggers hunting query 1.
References (9)
- https://attack.mitre.org/techniques/T1485/001/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
- https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
- https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
- https://cloud.google.com/storage/docs/lifecycle
- https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
Unlock Pro Content
Get the full detection package for T1485.001 including response playbook, investigation guide, and atomic red team tests.