Potential AWS S3 Bucket Ransomware Note Uploaded

About

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS S3Use Case: Threat DetectionTactic: ImpactLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

↳ Data Destruction (T1485)(external, opens in a new tab or window)

↳ Data Encrypted for Impact (T1486)(external, opens in a new tab or window)

False Positive Examples

Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the uploaded files are not part of a legitimate operation before taking action.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

filebeat-*logs-aws.cloudtrail-*

Related Integrations

aws(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗file where
  event.dataset == "aws.cloudtrail" and
  event.provider == "s3.amazonaws.com" and
  event.action == "PutObject" and
  event.outcome == "success" and
  /* Apply regex to match patterns only after the bucket name */
  aws.cloudtrail.resources.arn regex "arn:aws:s3:::[^/]+/.*?(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue).*" and
  not aws.cloudtrail.resources.arn regex ".*(AWSLogs|CloudTrail|access-logs).*"