Detect Lifecycle-Triggered Deletion in Sumo Logic CSE
Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets allow users to set lifecycle policies to automate migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they can apply a rule that expires all objects within one day, achieving large-scale data destruction without issuing explicit delete commands. In AWS environments, an adversary with the s3:PutLifecycleConfiguration permission may invoke the PutBucketLifecycle API call to set a short-expiry deletion rule across an entire bucket. Adversaries have also exploited this mechanism against CloudTrail log storage buckets to destroy audit evidence alongside operational data, combining data destruction with indicator removal. Similar capabilities exist in Azure Blob Storage lifecycle management policies and GCP Storage object lifecycle management.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1485 Data Destruction
- Sub-technique
- T1485.001 Lifecycle-Triggered Deletion
- Canonical reference
- https://attack.mitre.org/techniques/T1485/001/
Sumo Detection Query
(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/activitylogs)
| json field=_raw "eventName" as event_name nodrop
| json field=_raw "requestParameters.bucketName" as bucket_name nodrop
| json field=_raw "operationName" as operation_name nodrop
| json field=_raw "status" as activity_status nodrop
| json field=_raw "userIdentity.arn" as actor_arn nodrop
| json field=_raw "sourceIPAddress" as src_ip nodrop
| json field=_raw "awsRegion" as aws_region nodrop
| where (event_name in ("PutBucketLifecycle", "PutBucketLifecycleConfiguration"))
OR (operation_name matches "*managementpolicies/write*"
AND (toLowerCase(activity_status) = "succeeded" OR toLowerCase(activity_status) = "success"))
| parse regex field=_raw "\"Days\"\s*:\s*(?P<expiration_days>\d+)" nodrop
| parse regex field=_raw "\"Prefix\"\s*:\s*\"(?P<filter_prefix>[^\"]*)\"" nodrop
| parse regex field=_raw "\"Status\"\s*:\s*\"(?P<rule_status>[^\"]*)\"" nodrop
| num(expiration_days) as expiration_days
| if(isNull(expiration_days), 9999, expiration_days) as expiration_days
| if(expiration_days <= 7 AND expiration_days > 0, "true", "false") as is_short_expiry
| if(isNull(filter_prefix) OR filter_prefix = "", "true", "false") as is_wildcard
| if(isNull(rule_status) OR toLowerCase(rule_status) = "enabled", "true", "false") as is_enabled
| if(is_enabled = "true" AND is_short_expiry = "true" AND is_wildcard = "true", "Critical",
if(is_enabled = "true" AND is_short_expiry = "true", "High",
if(is_enabled = "true" AND is_wildcard = "true", "Medium", "Low"))) as risk_score
| where is_enabled = "true"
| fields _messageTime, event_name, operation_name, bucket_name, actor_arn, src_ip, aws_region, expiration_days, filter_prefix, rule_status, is_short_expiry, is_wildcard, risk_score
| sort by _messageTime descSumo Logic query detecting AWS S3 lifecycle policy abuse and Azure Blob Storage management policy writes with full risk scoring logic. Parses expiration days, prefix filter, and rule status from raw JSON payloads to replicate the KQL/SPL risk scoring (Critical/High/Medium/Low) based on short-expiry threshold (<=7 days) and wildcard prefix coverage. Adjust _sourceCategory values to match your organization's Sumo Logic source taxonomy. For high-volume environments, scope the query with a time range constraint using the time picker rather than relying on _messageTime sorting alone.
Data Sources
Required Tables
False Positives & Tuning
- Routine lifecycle policy management by cloud administrators: CloudOps teams applying expiry rules for temporary upload buckets, session data, or ephemeral build artifacts will generate high-risk hits when the configured expiry is <= 7 days and no prefix filter is set.
- CI/CD pipeline deployments applying IaC modules: Terraform apply runs touching S3 bucket resources with lifecycle blocks will call PutBucketLifecycleConfiguration on each deployment, often across multiple buckets simultaneously in the same pipeline run.
- Security or compliance automation: scripts enforcing data minimization policies on PII or secrets-rotation buckets by applying short lifecycle rules once the retention window expires will produce Critical-risk hits that are intentional and authorized.
- Multi-tenant SaaS platform maintenance: platforms hosting data on behalf of multiple customers that bulk-apply per-customer lifecycle configurations during onboarding or offboarding workflows will generate bursts of these events.
Other platforms for T1485.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Apply 1-Day Deletion Lifecycle to S3 Bucket
Expected signal: AWS CloudTrail management event: EventName=PutBucketLifecycleConfiguration, EventSource=s3.amazonaws.com, requestParameters.bucketName=<BUCKET_NAME>. The requestParameters will contain the lifecycle JSON with Days=1 and empty Prefix. Sentinel AWSCloudTrail table: TimeGenerated, UserIdentityArn, EventName=PutBucketLifecycleConfiguration, SourceIpAddress, UserAgent=aws-cli.
- Test 2Apply Lifecycle Deletion to CloudTrail Log Delivery Bucket
Expected signal: Two CloudTrail events: (1) DescribeTrails (readonly) showing reconnaissance step, (2) PutBucketLifecycleConfiguration against the CloudTrail log bucket. The combination of DescribeTrails immediately followed by PutBucketLifecycleConfiguration on the trail's S3 bucket is a high-fidelity indicator in the Sentinel hunting query 2.
- Test 3Azure Blob Storage Lifecycle Management Policy — Short Expiry
Expected signal: Azure Activity Log event: OperationName=microsoft.storage/storageaccounts/managementpolicies/write, ActivityStatus=Succeeded, Caller=<UPN or service principal>, CallerIpAddress=<source IP>, ResourceId includes the storage account name. Event appears in Sentinel AzureActivity table within 5-15 minutes of execution.
- Test 4Enumerate S3 Buckets and Apply Bulk Lifecycle Deletion (Multi-Bucket Ransomware Simulation)
Expected signal: Multiple PutBucketLifecycleConfiguration CloudTrail events in rapid succession, all with the same UserIdentityArn and SourceIpAddress, targeting different S3 buckets. Also generates a ListBuckets event immediately prior. This burst pattern (N lifecycle events in <5 minutes from single actor) is highly anomalous and directly triggers hunting query 1.
References (9)
- https://attack.mitre.org/techniques/T1485/001/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html
- https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
- https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/
- https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
- https://cloud.google.com/storage/docs/lifecycle
- https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
Unlock Pro Content
Get the full detection package for T1485.001 including response playbook, investigation guide, and atomic red team tests.