AWS S3 Bucket Versioning Disable

Rule Info

Name
AWS S3 Bucket Versioning Disable
Author
Sean Johnstone | Unit 42
Description
Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
Reference
https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
Date
2023-10-28 00:00:00
Modified
None
Id
a136ac98-b2bc-4189-a14d-f0d0388e57a7
Tags
attack.impact attack.t1490 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a136ac98-b2bc-4189-a14d-f0d0388e57a7

Rule History

Author
Title
Date
Commit
Sean Johnstone
Merge PR #4523 from @sj-sec - Add New AWS Rule `S3 Bucket Versioning Disable`
2023-10-28
fa85c19b9
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022