Detect Lifecycle-Triggered Deletion in Elastic Security
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets allow users to set lifecycle policies to automate migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they can apply a rule that expires all objects within one day, achieving large-scale data destruction without issuing explicit delete commands. In AWS environments, an adversary with the s3:PutLifecycleConfiguration permission may invoke the PutBucketLifecycle API call to set a short-expiry deletion rule across an entire bucket. Adversaries have also exploited this mechanism against CloudTrail log storage buckets to destroy audit evidence alongside operational data, combining data destruction with indicator removal. Similar capabilities exist in Azure Blob Storage lifecycle management policies and GCP Storage object lifecycle management.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Sub-technique
- T1485.001 Lifecycle-Triggered Deletion
- Canonical reference
- https://attack.mitre.org/techniques/T1485/001/
Elastic Detection Query
any where (
(
event.dataset == "aws.cloudtrail" and
event.action in ("PutBucketLifecycle", "PutBucketLifecycleConfiguration") and
aws.cloudtrail.event_source == "s3.amazonaws.com" and
not exists(aws.cloudtrail.error_code)
) or
(
event.dataset == "azure.activitylogs" and
azure.activitylogs.operation_name.value like~ "*managementpolicies/write*" and
event.outcome == "success"
)
)Detects AWS S3 PutBucketLifecycle and PutBucketLifecycleConfiguration API calls and Azure Blob Storage management policy writes that may indicate lifecycle-triggered mass data destruction (T1485.001). Targets the Elastic AWS integration index (logs-aws.cloudtrail-*) and the Elastic Azure Activity Logs integration (logs-azure.activitylogs-*). The base rule identifies the API events; for enforcement of the short-expiry threshold (<=7 days), add an ingest pipeline or runtime field that parses aws.cloudtrail.request_parameters JSON and promotes the expiration days value to a searchable numeric field before applying a value filter.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate storage cost optimization: platform or FinOps teams routinely set or update S3 lifecycle policies to move objects to cheaper storage tiers (Glacier, Intelligent-Tiering) or expire temporary/scratch data after expected retention windows, generating identical API calls.
- Infrastructure-as-code deployments: Terraform, CloudFormation, or Pulumi pipelines applying storage module configurations will call PutBucketLifecycleConfiguration on every plan apply, including in dev and staging accounts, often in bulk across many buckets.
- Azure Policy and Blueprints remediation sweeps: Azure governance automation enforcing lifecycle management policies across subscriptions will write managementpolicies on all non-compliant storage accounts during remediation, producing many simultaneous benign hits.
- Automated GDPR or HIPAA data retention workflows: compliance-driven scripts that apply or update short-expiry lifecycle rules on buckets holding regulated PII after the legal retention period has elapsed are expected to trigger this detection.
Other platforms for T1485.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Apply 1-Day Deletion Lifecycle to S3 Bucket
Expected signal: AWS CloudTrail management event: EventName=PutBucketLifecycleConfiguration, EventSource=s3.amazonaws.com, requestParameters.bucketName=<BUCKET_NAME>. The requestParameters will contain the lifecycle JSON with Days=1 and empty Prefix. Sentinel AWSCloudTrail table: TimeGenerated, UserIdentityArn, EventName=PutBucketLifecycleConfiguration, SourceIpAddress, UserAgent=aws-cli.
- Test 2Apply Lifecycle Deletion to CloudTrail Log Delivery Bucket
Expected signal: Two CloudTrail events: (1) DescribeTrails (readonly) showing reconnaissance step, (2) PutBucketLifecycleConfiguration against the CloudTrail log bucket. The combination of DescribeTrails immediately followed by PutBucketLifecycleConfiguration on the trail's S3 bucket is a high-fidelity indicator in the Sentinel hunting query 2.
- Test 3Azure Blob Storage Lifecycle Management Policy — Short Expiry
Expected signal: Azure Activity Log event: OperationName=microsoft.storage/storageaccounts/managementpolicies/write, ActivityStatus=Succeeded, Caller=<UPN or service principal>, CallerIpAddress=<source IP>, ResourceId includes the storage account name. Event appears in Sentinel AzureActivity table within 5-15 minutes of execution.
- Test 4Enumerate S3 Buckets and Apply Bulk Lifecycle Deletion (Multi-Bucket Ransomware Simulation)
Expected signal: Multiple PutBucketLifecycleConfiguration CloudTrail events in rapid succession, all with the same UserIdentityArn and SourceIpAddress, targeting different S3 buckets. Also generates a ListBuckets event immediately prior. This burst pattern (N lifecycle events in <5 minutes from single actor) is highly anomalous and directly triggers hunting query 1.
References (9)
- https://attack.mitre.org/techniques/T1485/001/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
- https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
- https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
- https://cloud.google.com/storage/docs/lifecycle
- https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
Unlock Pro Content
Get the full detection package for T1485.001 including response playbook, investigation guide, and atomic red team tests.