T1485.001 CrowdStrike LogScale · LogScale

Detect Lifecycle-Triggered Deletion in CrowdStrike LogScale

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets allow users to set lifecycle policies to automate migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they can apply a rule that expires all objects within one day, achieving large-scale data destruction without issuing explicit delete commands. In AWS environments, an adversary with the s3:PutLifecycleConfiguration permission may invoke the PutBucketLifecycle API call to set a short-expiry deletion rule across an entire bucket. Adversaries have also exploited this mechanism against CloudTrail log storage buckets to destroy audit evidence alongside operational data, combining data destruction with indicator removal. Similar capabilities exist in Azure Blob Storage lifecycle management policies and GCP Storage object lifecycle management.

MITRE ATT&CK

Tactic
Impact
Technique
T1485 Data Destruction
Sub-technique
T1485.001 Lifecycle-Triggered Deletion
Canonical reference
https://attack.mitre.org/techniques/T1485/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Targets AWS CloudTrail events ingested via CrowdStrike Falcon Horizon cloud connector or direct CloudTrail-to-LogScale ingest
#kind=event
| eventSource = "s3.amazonaws.com"
| eventName in ["PutBucketLifecycle", "PutBucketLifecycleConfiguration"]
| regex("\"bucketName\"\s*:\s*\"(?P<bucket_name>[^\"]+)\"", field=requestParameters)
| regex("\"Days\"\s*:\s*(?P<expiration_days_str>\d+)", field=requestParameters, flags="i")
| regex("\"Prefix\"\s*:\s*\"(?P<filter_prefix>[^\"]*)\"", field=requestParameters, flags="i")
| regex("\"Status\"\s*:\s*\"(?P<rule_status>[^\"]+)\"", field=requestParameters, flags="i")
| filter_prefix := coalesce(filter_prefix, "")
| rule_status := coalesce(rule_status, "")
| expiration_days := parseFloat(expiration_days_str, default=9999)
| is_short_expiry := if(expiration_days <= 7 and expiration_days > 0, then="true", else="false")
| is_wildcard := if(isEmpty(filter_prefix), then="true", else="false")
| is_enabled := if(isEmpty(rule_status) or lower(rule_status) = "enabled", then="true", else="false")
| risk_score := case {
    is_enabled = "true" and is_short_expiry = "true" and is_wildcard = "true" => "Critical";
    is_enabled = "true" and is_short_expiry = "true" => "High";
    is_enabled = "true" and is_wildcard = "true" => "Medium";
    * => "Low"
  }
| where is_enabled = "true"
| actor := coalesce(userIdentityArn, userIdentityUserName, "Unknown")
| table([@timestamp, actor, bucket_name, expiration_days, filter_prefix, rule_status, is_short_expiry, is_wildcard, risk_score, sourceIPAddress, userAgent, awsRegion, eventName], limit=1000)
| sort(@timestamp, reverse=true)
high severity medium confidence

CrowdStrike LogScale (Humio) query detecting AWS S3 lifecycle policy abuse via CloudTrail events ingested through Falcon Horizon cloud security connector or a direct AWS CloudTrail-to-LogScale pipeline. Parses bucket name, expiration days, prefix filter, and rule status from the requestParameters JSON string using named regex groups, then computes risk scoring (Critical/High/Medium/Low) consistent with the reference KQL and SPL detections. The #kind=event filter targets standard event records in the repository; adjust to your repository's metadata tags if CloudTrail events are tagged differently in your LogScale deployment.

Data Sources

AWS CloudTrail via CrowdStrike Falcon Horizon cloud connectorAWS CloudTrail direct ingest to LogScale via S3 bucket source or Kinesis Data Firehose

Required Tables

CloudTrail events with eventSource=s3.amazonaws.com in LogScale repository

False Positives & Tuning

  • Automated storage lifecycle management by CloudOps teams: routine S3 lifecycle configuration updates for object tiering, archival to Glacier, or expiry of transient data such as build artifacts and temp uploads will generate identical high-risk hits when expiry is <= 7 days and no prefix is set.
  • CI/CD Terraform apply runs: every Terraform apply touching an aws_s3_bucket_lifecycle_configuration resource will call PutBucketLifecycleConfiguration, including in lower environments, and often in parallel across multiple buckets in the same pipeline execution.
  • AWS-native archival and backup services: AWS Backup, S3 Intelligent-Tiering automation, and third-party CSPM remediation tooling (Prisma Cloud, Wiz, Orca Security) may invoke lifecycle APIs as part of posture correction or backup policy enforcement workflows.
  • Log rotation and retention enforcement: scripts managing CloudTrail, ALB access log, VPC Flow Log, or S3 server access log buckets that programmatically apply or refresh expiration rules to control storage costs are an expected and high-volume source of these events.
Download portable Sigma rule (.yml)

Other platforms for T1485.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Apply 1-Day Deletion Lifecycle to S3 Bucket

    Expected signal: AWS CloudTrail management event: EventName=PutBucketLifecycleConfiguration, EventSource=s3.amazonaws.com, requestParameters.bucketName=<BUCKET_NAME>. The requestParameters will contain the lifecycle JSON with Days=1 and empty Prefix. Sentinel AWSCloudTrail table: TimeGenerated, UserIdentityArn, EventName=PutBucketLifecycleConfiguration, SourceIpAddress, UserAgent=aws-cli.

  2. Test 2Apply Lifecycle Deletion to CloudTrail Log Delivery Bucket

    Expected signal: Two CloudTrail events: (1) DescribeTrails (readonly) showing reconnaissance step, (2) PutBucketLifecycleConfiguration against the CloudTrail log bucket. The combination of DescribeTrails immediately followed by PutBucketLifecycleConfiguration on the trail's S3 bucket is a high-fidelity indicator in the Sentinel hunting query 2.

  3. Test 3Azure Blob Storage Lifecycle Management Policy — Short Expiry

    Expected signal: Azure Activity Log event: OperationName=microsoft.storage/storageaccounts/managementpolicies/write, ActivityStatus=Succeeded, Caller=<UPN or service principal>, CallerIpAddress=<source IP>, ResourceId includes the storage account name. Event appears in Sentinel AzureActivity table within 5-15 minutes of execution.

  4. Test 4Enumerate S3 Buckets and Apply Bulk Lifecycle Deletion (Multi-Bucket Ransomware Simulation)

    Expected signal: Multiple PutBucketLifecycleConfiguration CloudTrail events in rapid succession, all with the same UserIdentityArn and SourceIpAddress, targeting different S3 buckets. Also generates a ListBuckets event immediately prior. This burst pattern (N lifecycle events in <5 minutes from single actor) is highly anomalous and directly triggers hunting query 1.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1485.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1485Data Destruction

Related Techniques

T1485Data DestructionT1070Indicator RemovalT1070.009Clear PersistenceT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1578.002Create Cloud InstanceT1619Cloud Storage Object DiscoveryT1657Financial TheftT1098.001Additional Cloud Credentials

Same Tactic: Impact

Popular Detections