title: Lifecycle-Triggered Deletion (T1485.001)
id: df00tech-t1485-001
status: experimental
description: "Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within. Cloud storage buckets allow users to set lifecycle policies to automate migration, archival, or deletion of objects after a set period of time. If a threat actor has sufficient permissions to modify these policies, they can apply a rule that expires all objects within one day, achieving large-scale data destruction without issuing explicit delete commands. In AWS environments, an adversary with the s3:PutLifecycleConfiguration permission may invoke the PutBucketLifecycle API call to set a short-expiry deletion rule across an entire bucket. Adversaries have also exploited this mechanism against CloudTrail log storage buckets to destroy audit evidence alongside operational data, combining data destruction with indicator removal. Similar capabilities exist in Azure Blob Storage lifecycle management policies and GCP Storage object lifecycle management."
references:
  - https://attack.mitre.org/techniques/T1485/001/
  - https://df00tech.com/detections/T1485.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1485.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate data lifecycle management policies for cost optimization — organizations regularly configure long-expiry lifecycle rules to tier old objects to cheaper storage classes or delete them after compliance retention periods
  - Developer or DevOps engineers testing lifecycle configurations in non-production accounts or sandbox S3 buckets
  - Compliance-driven data destruction policies that legitimately set short retention windows for sensitive PII or regulated data to meet legal deletion requirements
  - Data pipeline cleanup rules that intentionally expire temporary processing artifacts or staging data after a short window
  - "Terraform, CDK, or CloudFormation infrastructure-as-code deployments that apply lifecycle policies as part of automated stack provisioning or updates"
level: critical