T1485.001 Splunk · SPL

Detect Lifecycle-Triggered Deletion in Splunk

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets allow users to set lifecycle policies to automate migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they can apply a rule that expires all objects within one day, achieving large-scale data destruction without issuing explicit delete commands. In AWS environments, an adversary with the s3:PutLifecycleConfiguration permission may invoke the PutBucketLifecycle API call to set a short-expiry deletion rule across an entire bucket. Adversaries have also exploited this mechanism against CloudTrail log storage buckets to destroy audit evidence alongside operational data, combining data destruction with indicator removal. Similar capabilities exist in Azure Blob Storage lifecycle management policies and GCP Storage object lifecycle management.

MITRE ATT&CK

Tactic
Impact
Technique
T1485 Data Destruction
Sub-technique
T1485.001 Lifecycle-Triggered Deletion
Canonical reference
https://attack.mitre.org/techniques/T1485/001/

SPL Detection Query

Splunk (SPL)
spl 
index=aws sourcetype=aws:cloudtrail
  (eventName=PutBucketLifecycle OR eventName=PutBucketLifecycleConfiguration)
| spath input=requestParameters output=bucketName path=bucketName
| eval rawParams=requestParameters
| rex field=rawParams "\"Days\"\s*:\s*(?P<expiration_days>\d+)"
| rex field=rawParams "\"Prefix\"\s*:\s*\"(?P<filter_prefix>[^\"]*)\""
| rex field=rawParams "\"Status\"\s*:\s*\"(?P<rule_status>[^\"]*)\""
| eval expiration_days=if(isnotnull(expiration_days), tonumber(expiration_days), 9999)
| eval is_short_expiry=if(expiration_days <= 7 AND expiration_days > 0, 1, 0)
| eval is_wildcard=if(isnull(filter_prefix) OR filter_prefix="", 1, 0)
| eval is_enabled=if(isnull(rule_status) OR lower(rule_status)="enabled", 1, 0)
| eval risk_score=case(
    is_enabled=1 AND is_short_expiry=1 AND is_wildcard=1, "Critical",
    is_enabled=1 AND is_short_expiry=1, "High",
    is_enabled=1 AND is_wildcard=1, "Medium",
    true(), "Low")
| eval actor=coalesce('userIdentity.arn', 'userIdentity.userName', 'userIdentity.sessionContext.sessionIssuer.arn', "Unknown")
| eval error_code=if(isnotnull(errorCode), errorCode, "")
| where is_enabled=1
| table _time, actor, bucketName, expiration_days, filter_prefix, rule_status,
        is_short_expiry, is_wildcard, risk_score, sourceIPAddress, userAgent,
        awsRegion, eventName, error_code
| sort - _time
critical severity high confidence

Detects S3 bucket lifecycle policy modifications that could enable ransomware-style bulk data deletion through AWS CloudTrail logs. Uses rex field extraction to parse expiration days, prefix filters, and rule status from CloudTrail requestParameters. Assigns risk scores based on how quickly and broadly the lifecycle rule would delete objects. Critical risk when expiration is 7 days or fewer and the rule applies to all objects (empty prefix). Tracks both the API caller identity and source IP to identify anomalous access patterns.

Data Sources

Cloud Storage: Cloud Storage ModificationAWS CloudTrail: S3 API CallsSplunk Add-on for AWS

Required Sourcetypes

aws:cloudtrail

False Positives & Tuning

  • Legitimate data lifecycle management policies for cost optimization — organizations regularly configure long-expiry lifecycle rules to tier old objects to Glacier or delete them after compliance retention periods
  • Developer or DevOps engineers testing lifecycle configurations in non-production accounts or sandbox S3 buckets with intentionally short lifespans
  • Compliance-driven data destruction policies that legitimately set short retention windows for sensitive PII under legal deletion requirements
  • Infrastructure-as-code (Terraform, CDK, CloudFormation) automated deployments applying lifecycle configurations during stack creation or update
  • Data engineering pipelines that configure short-lived lifecycle rules to clean up temporary processing objects in staging buckets
Download portable Sigma rule (.yml)

Other platforms for T1485.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Apply 1-Day Deletion Lifecycle to S3 Bucket

    Expected signal: AWS CloudTrail management event: EventName=PutBucketLifecycleConfiguration, EventSource=s3.amazonaws.com, requestParameters.bucketName=<BUCKET_NAME>. The requestParameters will contain the lifecycle JSON with Days=1 and empty Prefix. Sentinel AWSCloudTrail table: TimeGenerated, UserIdentityArn, EventName=PutBucketLifecycleConfiguration, SourceIpAddress, UserAgent=aws-cli.

  2. Test 2Apply Lifecycle Deletion to CloudTrail Log Delivery Bucket

    Expected signal: Two CloudTrail events: (1) DescribeTrails (readonly) showing reconnaissance step, (2) PutBucketLifecycleConfiguration against the CloudTrail log bucket. The combination of DescribeTrails immediately followed by PutBucketLifecycleConfiguration on the trail's S3 bucket is a high-fidelity indicator in the Sentinel hunting query 2.

  3. Test 3Azure Blob Storage Lifecycle Management Policy — Short Expiry

    Expected signal: Azure Activity Log event: OperationName=microsoft.storage/storageaccounts/managementpolicies/write, ActivityStatus=Succeeded, Caller=<UPN or service principal>, CallerIpAddress=<source IP>, ResourceId includes the storage account name. Event appears in Sentinel AzureActivity table within 5-15 minutes of execution.

  4. Test 4Enumerate S3 Buckets and Apply Bulk Lifecycle Deletion (Multi-Bucket Ransomware Simulation)

    Expected signal: Multiple PutBucketLifecycleConfiguration CloudTrail events in rapid succession, all with the same UserIdentityArn and SourceIpAddress, targeting different S3 buckets. Also generates a ListBuckets event immediately prior. This burst pattern (N lifecycle events in <5 minutes from single actor) is highly anomalous and directly triggers hunting query 1.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1485.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1485Data Destruction

Related Techniques

T1485Data DestructionT1070Indicator RemovalT1070.009Clear PersistenceT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1578.002Create Cloud InstanceT1619Cloud Storage Object DiscoveryT1657Financial TheftT1098.001Additional Cloud Credentials

Same Tactic: Impact

Popular Detections