Detect Lifecycle-Triggered Deletion in IBM QRadar
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets allow users to set lifecycle policies to automate migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they can apply a rule that expires all objects within one day, achieving large-scale data destruction without issuing explicit delete commands. In AWS environments, an adversary with the s3:PutLifecycleConfiguration permission may invoke the PutBucketLifecycle API call to set a short-expiry deletion rule across an entire bucket. Adversaries have also exploited this mechanism against CloudTrail log storage buckets to destroy audit evidence alongside operational data, combining data destruction with indicator removal. Similar capabilities exist in Azure Blob Storage lifecycle management policies and GCP Storage object lifecycle management.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Sub-technique
- T1485.001 Lifecycle-Triggered Deletion
- Canonical reference
- https://attack.mitre.org/techniques/T1485/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
username AS actor,
sourceip AS source_ip,
LOGSOURCETYPENAME(logsourceid) AS log_source_type,
payload
FROM events
WHERE
LOGSOURCETYPENAME(logsourceid) IN (
'Amazon AWS CloudTrail',
'Microsoft Azure Event Hubs',
'Microsoft Azure Active Directory Audit'
)
AND (
payload LIKE '%PutBucketLifecycle%'
OR payload LIKE '%PutBucketLifecycleConfiguration%'
OR (
payload LIKE '%managementpolicies%'
AND payload LIKE '%write%'
AND (
payload LIKE '%Succeeded%'
OR payload LIKE '%Success%'
)
)
)
AND starttime > DATEADD(HOUR, -24, NOW())
ORDER BY starttime DESC
LAST 24 HOURSIBM QRadar AQL query detecting S3 lifecycle policy abuse events (PutBucketLifecycle, PutBucketLifecycleConfiguration) and Azure Blob Storage management policy writes by searching raw event payloads across AWS CloudTrail and Azure log source types. Requires the Amazon AWS CloudTrail DSM and a Microsoft Azure DSM (Event Hubs or Activity) to be installed and receiving data. If your QRadar deployment extracts eventName into a custom event property via DSM extension, replace the payload LIKE predicates with an equality check on that extracted property for improved performance and accuracy.
Data Sources
Required Tables
False Positives & Tuning
- Authorized CI/CD infrastructure pipelines: Terraform, Ansible, or CloudFormation deployments applying S3 lifecycle configurations from version-controlled templates will call PutBucketLifecycleConfiguration on every apply run, including automated runs triggered by merge events.
- Cloud storage management platforms: third-party tools such as Commvault, NetApp Cloud Manager, or AWS Storage Lens that automate lifecycle policies across accounts will generate these events without malicious intent, particularly during scheduled bulk-policy enforcement runs.
- AWS Backup and Data Lifecycle Manager: AWS-native archival and backup services internally invoke lifecycle APIs as part of normal object archival and backup policy enforcement workflows.
- Log storage bucket maintenance: security or operations teams applying or adjusting lifecycle expiry rules on high-volume log buckets (VPC Flow Logs, ALB access logs, CloudTrail) to control storage costs are expected to trigger this query.
Other platforms for T1485.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Apply 1-Day Deletion Lifecycle to S3 Bucket
Expected signal: AWS CloudTrail management event: EventName=PutBucketLifecycleConfiguration, EventSource=s3.amazonaws.com, requestParameters.bucketName=<BUCKET_NAME>. The requestParameters will contain the lifecycle JSON with Days=1 and empty Prefix. Sentinel AWSCloudTrail table: TimeGenerated, UserIdentityArn, EventName=PutBucketLifecycleConfiguration, SourceIpAddress, UserAgent=aws-cli.
- Test 2Apply Lifecycle Deletion to CloudTrail Log Delivery Bucket
Expected signal: Two CloudTrail events: (1) DescribeTrails (readonly) showing reconnaissance step, (2) PutBucketLifecycleConfiguration against the CloudTrail log bucket. The combination of DescribeTrails immediately followed by PutBucketLifecycleConfiguration on the trail's S3 bucket is a high-fidelity indicator in the Sentinel hunting query 2.
- Test 3Azure Blob Storage Lifecycle Management Policy — Short Expiry
Expected signal: Azure Activity Log event: OperationName=microsoft.storage/storageaccounts/managementpolicies/write, ActivityStatus=Succeeded, Caller=<UPN or service principal>, CallerIpAddress=<source IP>, ResourceId includes the storage account name. Event appears in Sentinel AzureActivity table within 5-15 minutes of execution.
- Test 4Enumerate S3 Buckets and Apply Bulk Lifecycle Deletion (Multi-Bucket Ransomware Simulation)
Expected signal: Multiple PutBucketLifecycleConfiguration CloudTrail events in rapid succession, all with the same UserIdentityArn and SourceIpAddress, targeting different S3 buckets. Also generates a ListBuckets event immediately prior. This burst pattern (N lifecycle events in <5 minutes from single actor) is highly anomalous and directly triggers hunting query 1.
References (9)
- https://attack.mitre.org/techniques/T1485/001/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
- https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
- https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
- https://cloud.google.com/storage/docs/lifecycle
- https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
Unlock Pro Content
Get the full detection package for T1485.001 including response playbook, investigation guide, and atomic red team tests.