SigmaHQ/rules/cloud/aws_s3_data_management_tampering.yml

title: AWS S3 Data Management Tamperin
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Austin Songer
status: experimental
date: 2021/07/24
references:
    - https://github.com/elastic/detection-rules/pull/1145/files
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
    - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
logsource:
    service: cloudtrail
detection:
    selection:
        eventSource: iam.amazonaws.com
        eventName:
           - PutBucketLogging
           - PutBucketWebsite
           - PutEncryptionConfiguration
           - PutLifecycleConfiguration
           - PutReplicationConfiguration
           - ReplicateObject
           - RestoreObject
    condition: selection
level: low
tags:
    - attack.exfiltration
    - attack.t1537
falsepositives:
- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
Update aws_s3_data_management_tampering.yml 2021-07-24 16:17:18 +00:00			`title: AWS S3 Data Management Tamperin`
Create aws_s3_data_management_tampering.yml 2021-07-24 16:12:19 +00:00			`id: 78b3756a-7804-4ef7-8555-7b9024a02e2d`
			`description: Detects when a user tampers with S3 data management in Amazon Web Services.`
Update aws_s3_data_management_tampering.yml 2021-07-24 16:17:18 +00:00			`author: Austin Songer`
Create aws_s3_data_management_tampering.yml 2021-07-24 16:12:19 +00:00			`status: experimental`
			`date: 2021/07/24`
			`references:`
Update aws_s3_data_management_tampering.yml 2021-07-24 16:17:18 +00:00			`- https://github.com/elastic/detection-rules/pull/1145/files`
Create aws_s3_data_management_tampering.yml 2021-07-24 16:12:19 +00:00			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html`
			`- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html`
			`logsource:`
			`service: cloudtrail`
			`detection:`
Update aws_s3_data_management_tampering.yml 2021-07-25 07:25:24 +00:00			`selection:`
			`eventSource: iam.amazonaws.com`
			`eventName:`
			`- PutBucketLogging`
			`- PutBucketWebsite`
			`- PutEncryptionConfiguration`
			`- PutLifecycleConfiguration`
			`- PutReplicationConfiguration`
			`- ReplicateObject`
			`- RestoreObject`
			`condition: selection`
Create aws_s3_data_management_tampering.yml 2021-07-24 16:12:19 +00:00			`level: low`
			`tags:`
			`- attack.exfiltration`
			`- attack.t1537`
			`falsepositives:`
			`- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.`