Elastic Security Detection Rules

Potential AWS S3 Bucket Ransomware Note Uploaded

Last updated 4 months ago on 2025-03-20
Created a year ago on 2024-04-17

About

Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Threat DetectionTactic: ImpactLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Impact (TA0040)(opens in a new tab or window)

Data Destruction (T1485)(opens in a new tab or window)

False Positive Examples
Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(opens in a new tab or window)

Query
from logs-aws.cloudtrail-*

// any successful uploads via S3 API requests
| where event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action == "PutObject"
    and event.outcome == "success"

// abstract object name from API request parameters
| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}"

// regex on common ransomware note extensions
| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)"
    and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)"

// keep relevant fields
| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name

// aggregate by S3 bucket, resource and object name
| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name

// filter for single occurrence to eliminate common upload operations
| where note_upload_count == 1

Install detection rules in Elastic Security

Detect Potential AWS S3 Bucket Ransomware Note Uploaded in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).